Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
v3tK92KcJV.exe

Overview

General Information

Sample name:v3tK92KcJV.exe
renamed because original name is a hash value
Original sample name:f6d76bf6feb1be1dc008241ebe7f1378d4125b9e60357485124b4af9748dce13.exe
Analysis ID:1587811
MD5:746eef70bac7aba1b57e9821e5d3010f
SHA1:253b25f0fa35132910a026abe1bd18c58b9a2145
SHA256:f6d76bf6feb1be1dc008241ebe7f1378d4125b9e60357485124b4af9748dce13
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • v3tK92KcJV.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\v3tK92KcJV.exe" MD5: 746EEF70BAC7ABA1B57E9821E5D3010F)
    • RegSvcs.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\v3tK92KcJV.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • cmd.exe (PID: 7696 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 7752 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7525931722:AAHv5VReYz4Tdv44qTVu1nWYViZknndh3TU/sendMessage?chat_id=7361435574", "Token": "7525931722:AAHv5VReYz4Tdv44qTVu1nWYViZknndh3TU", "Chat_id": "7361435574", "Version": "5.1"}
SourceRuleDescriptionAuthorStrings
00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x14898:$a1: get_encryptedPassword
      • 0x14b84:$a2: get_encryptedUsername
      • 0x146a4:$a3: get_timePasswordChanged
      • 0x1479f:$a4: get_passwordField
      • 0x148ae:$a5: set_encryptedPassword
      • 0x15f48:$a7: get_logins
      • 0x15eab:$a10: KeyLoggerEventArgs
      • 0x15b16:$a11: KeyLoggerEventArgsEventHandler
      00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x197fc:$x1: $%SMTPDV$
      • 0x181e0:$x2: $#TheHashHere%&
      • 0x197a4:$x3: %FTPDV$
      • 0x18180:$x4: $%TelegramDv$
      • 0x15b16:$x5: KeyLoggerEventArgs
      • 0x15eab:$x5: KeyLoggerEventArgs
      • 0x197c8:$m2: Clipboard Logs ID
      • 0x19a06:$m2: Screenshot Logs ID
      • 0x19b16:$m2: keystroke Logs ID
      • 0x19df0:$m3: SnakePW
      • 0x199de:$m4: \SnakeKeylogger\
      00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 15 entries
        SourceRuleDescriptionAuthorStrings
        0.2.v3tK92KcJV.exe.1d50000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.v3tK92KcJV.exe.1d50000.1.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.v3tK92KcJV.exe.1d50000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12c98:$a1: get_encryptedPassword
            • 0x12f84:$a2: get_encryptedUsername
            • 0x12aa4:$a3: get_timePasswordChanged
            • 0x12b9f:$a4: get_passwordField
            • 0x12cae:$a5: set_encryptedPassword
            • 0x14348:$a7: get_logins
            • 0x142ab:$a10: KeyLoggerEventArgs
            • 0x13f16:$a11: KeyLoggerEventArgsEventHandler
            0.2.v3tK92KcJV.exe.1d50000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a5b2:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x197e4:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19c17:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1ac56:$a5: \Kometa\User Data\Default\Login Data
            0.2.v3tK92KcJV.exe.1d50000.1.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x13885:$s1: UnHook
            • 0x1388c:$s2: SetHook
            • 0x13894:$s3: CallNextHook
            • 0x138a1:$s4: _hook
            Click to see the 15 entries
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T18:11:31.124953+010028033053Unknown Traffic192.168.2.949774104.21.16.1443TCP
            2025-01-10T18:11:32.471770+010028033053Unknown Traffic192.168.2.949786104.21.16.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T18:11:29.033367+010028032742Potentially Bad Traffic192.168.2.949757132.226.247.7380TCP
            2025-01-10T18:11:30.564570+010028032742Potentially Bad Traffic192.168.2.949757132.226.247.7380TCP
            2025-01-10T18:11:31.877122+010028032742Potentially Bad Traffic192.168.2.949780132.226.247.7380TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7525931722:AAHv5VReYz4Tdv44qTVu1nWYViZknndh3TU/sendMessage?chat_id=7361435574", "Token": "7525931722:AAHv5VReYz4Tdv44qTVu1nWYViZknndh3TU", "Chat_id": "7361435574", "Version": "5.1"}
            Source: v3tK92KcJV.exeVirustotal: Detection: 69%Perma Link
            Source: v3tK92KcJV.exeReversingLabs: Detection: 68%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: v3tK92KcJV.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: v3tK92KcJV.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.9:49763 version: TLS 1.0
            Source: Binary string: wntdll.pdbUGP source: v3tK92KcJV.exe, 00000000.00000003.1384625776.0000000003990000.00000004.00001000.00020000.00000000.sdmp, v3tK92KcJV.exe, 00000000.00000003.1388474205.0000000003B60000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: v3tK92KcJV.exe, 00000000.00000003.1384625776.0000000003990000.00000004.00001000.00020000.00000000.sdmp, v3tK92KcJV.exe, 00000000.00000003.1388474205.0000000003B60000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0073DBBE
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0070C2A2 FindFirstFileExW,0_2_0070C2A2
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007468EE FindFirstFileW,FindClose,0_2_007468EE
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0074698F
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D076
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D3A9
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00749642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00749642
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0074979D
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00749B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00749B2B
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00745C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00745C97

            Networking

            barindex
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: global trafficTCP traffic: 192.168.2.9:55302 -> 162.159.36.2:53
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
            Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49780 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49757 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49774 -> 104.21.16.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49786 -> 104.21.16.1:443
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.9:49763 version: TLS 1.0
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0074CE44
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: 53.210.109.20.in-addr.arpa
            Source: RegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: RegSvcs.exe, 00000002.00000002.1507961295.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: RegSvcs.exe, 00000002.00000002.1507961295.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: v3tK92KcJV.exe, 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: RegSvcs.exe, 00000002.00000002.1507961295.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: RegSvcs.exe, 00000002.00000002.1507961295.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RegSvcs.exe, 00000002.00000002.1507961295.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: v3tK92KcJV.exe, 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: RegSvcs.exe, 00000002.00000002.1507961295.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0074EAFF
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0074ED6A
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0074EAFF
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0073AA57
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00769576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00769576

            System Summary

            barindex
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: v3tK92KcJV.exe PID: 7468, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: v3tK92KcJV.exe PID: 7468, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: v3tK92KcJV.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: v3tK92KcJV.exe, 00000000.00000000.1362116936.0000000000792000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a97cf7e4-c
            Source: v3tK92KcJV.exe, 00000000.00000000.1362116936.0000000000792000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_27aa7807-4
            Source: v3tK92KcJV.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_564de8bc-8
            Source: v3tK92KcJV.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_cbe0a7c5-d
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0073D5EB
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00731201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00731201
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0073E8F6
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006DBF400_2_006DBF40
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006D80600_2_006D8060
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007420460_2_00742046
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007382980_2_00738298
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0070E4FF0_2_0070E4FF
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0070676B0_2_0070676B
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007648730_2_00764873
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006DCAF00_2_006DCAF0
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006FCAA00_2_006FCAA0
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006ECC390_2_006ECC39
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00706DD90_2_00706DD9
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006EB1190_2_006EB119
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006D91C00_2_006D91C0
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F13940_2_006F1394
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F17060_2_006F1706
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F781B0_2_006F781B
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006E997D0_2_006E997D
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006D79200_2_006D7920
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F19B00_2_006F19B0
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F7A4A0_2_006F7A4A
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F1C770_2_006F1C77
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F7CA70_2_006F7CA7
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0075BE440_2_0075BE44
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00709EEE0_2_00709EEE
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F1F320_2_006F1F32
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_012134A80_2_012134A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012961082_2_01296108
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0129C1902_2_0129C190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0129B3282_2_0129B328
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0129C4702_2_0129C470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0129C7522_2_0129C752
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012998582_2_01299858
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012968802_2_01296880
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0129BBD22_2_0129BBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0129CA322_2_0129CA32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01294AD92_2_01294AD9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0129BEB02_2_0129BEB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012935722_2_01293572
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0129B4F22_2_0129B4F2
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: String function: 006F0A30 appears 46 times
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: String function: 006EF9F2 appears 40 times
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: String function: 006F4963 appears 31 times
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: String function: 006D9CB3 appears 31 times
            Source: v3tK92KcJV.exe, 00000000.00000003.1386928513.0000000003C8D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs v3tK92KcJV.exe
            Source: v3tK92KcJV.exe, 00000000.00000003.1385928307.0000000003AB3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs v3tK92KcJV.exe
            Source: v3tK92KcJV.exe, 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs v3tK92KcJV.exe
            Source: v3tK92KcJV.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: v3tK92KcJV.exe PID: 7468, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: v3tK92KcJV.exe PID: 7468, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: classification engineClassification label: mal100.troj.evad.winEXE@8/3@4/2
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007437B5 GetLastError,FormatMessageW,0_2_007437B5
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007310BF AdjustTokenPrivileges,CloseHandle,0_2_007310BF
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007316C3
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007451CD
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0075A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0075A67C
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0074648E
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_006D42A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeFile created: C:\Users\user\AppData\Local\Temp\aut9C.tmpJump to behavior
            Source: v3tK92KcJV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: v3tK92KcJV.exeVirustotal: Detection: 69%
            Source: v3tK92KcJV.exeReversingLabs: Detection: 68%
            Source: unknownProcess created: C:\Users\user\Desktop\v3tK92KcJV.exe "C:\Users\user\Desktop\v3tK92KcJV.exe"
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\v3tK92KcJV.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\v3tK92KcJV.exe"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
            Source: v3tK92KcJV.exeStatic file information: File size 1059840 > 1048576
            Source: v3tK92KcJV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: v3tK92KcJV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: v3tK92KcJV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: v3tK92KcJV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: v3tK92KcJV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: v3tK92KcJV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: v3tK92KcJV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wntdll.pdbUGP source: v3tK92KcJV.exe, 00000000.00000003.1384625776.0000000003990000.00000004.00001000.00020000.00000000.sdmp, v3tK92KcJV.exe, 00000000.00000003.1388474205.0000000003B60000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: v3tK92KcJV.exe, 00000000.00000003.1384625776.0000000003990000.00000004.00001000.00020000.00000000.sdmp, v3tK92KcJV.exe, 00000000.00000003.1388474205.0000000003B60000.00000004.00001000.00020000.00000000.sdmp
            Source: v3tK92KcJV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: v3tK92KcJV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: v3tK92KcJV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: v3tK92KcJV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: v3tK92KcJV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F0A76 push ecx; ret 0_2_006F0A89
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012924B9 push 8BFFFFFFh; retf 2_2_012924BF
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_006EF98E
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00761C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00761C41
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96630
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeAPI/Special instruction interceptor: Address: 12130CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599069Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598953Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598371Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598136Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597988Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597749Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597407Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597282Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596813Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596688Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596563Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596219Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595349Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595224Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595101Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594961Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594609Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594500Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594391Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594279Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594172Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1858Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7972Jump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeAPI coverage: 4.2 %
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0073DBBE
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0070C2A2 FindFirstFileExW,0_2_0070C2A2
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007468EE FindFirstFileW,FindClose,0_2_007468EE
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0074698F
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D076
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D3A9
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00749642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00749642
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0074979D
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00749B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00749B2B
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00745C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00745C97
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599069Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598953Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598371Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598136Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597988Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597749Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597407Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597282Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596813Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596688Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596563Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596453Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596219Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595349Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595224Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595101Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594961Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594609Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594500Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594391Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594279Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594172Jump to behavior
            Source: RegSvcs.exe, 00000002.00000002.1507470359.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0074EAA2 BlockInput,0_2_0074EAA2
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00702622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00702622
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F4CE8 mov eax, dword ptr fs:[00000030h]0_2_006F4CE8
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_01213338 mov eax, dword ptr fs:[00000030h]0_2_01213338
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_01213398 mov eax, dword ptr fs:[00000030h]0_2_01213398
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_01211D48 mov eax, dword ptr fs:[00000030h]0_2_01211D48
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00730B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00730B62
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00702622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00702622
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006F083F
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F09D5 SetUnhandledExceptionFilter,0_2_006F09D5
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006F0C21
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D45008Jump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00731201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00731201
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00712BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00712BA5
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0073B226 SendInput,keybd_event,0_2_0073B226
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_007522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_007522DA
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\v3tK92KcJV.exe"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00730B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00730B62
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00731663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00731663
            Source: v3tK92KcJV.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: v3tK92KcJV.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006F0698 cpuid 0_2_006F0698
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00748195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00748195
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0072D27A GetUserNameW,0_2_0072D27A
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_0070B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0070B952
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1507961295.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: v3tK92KcJV.exe PID: 7468, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
            Source: v3tK92KcJV.exeBinary or memory string: WIN_81
            Source: v3tK92KcJV.exeBinary or memory string: WIN_XP
            Source: v3tK92KcJV.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: v3tK92KcJV.exeBinary or memory string: WIN_XPe
            Source: v3tK92KcJV.exeBinary or memory string: WIN_VISTA
            Source: v3tK92KcJV.exeBinary or memory string: WIN_7
            Source: v3tK92KcJV.exeBinary or memory string: WIN_8
            Source: Yara matchFile source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: v3tK92KcJV.exe PID: 7468, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 0.2.v3tK92KcJV.exe.1d50000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.v3tK92KcJV.exe.1d50000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1507961295.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: v3tK92KcJV.exe PID: 7468, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00751204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00751204
            Source: C:\Users\user\Desktop\v3tK92KcJV.exeCode function: 0_2_00751806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00751806
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts
            1
            Native API
            1
            DLL Side-Loading
            1
            Exploitation for Privilege Escalation
            11
            Disable or Modify Tools
            21
            Input Capture
            2
            System Time Discovery
            Remote Services1
            Archive Collected Data
            2
            Ingress Tool Transfer
            Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts
            1
            DLL Side-Loading
            1
            Deobfuscate/Decode Files or Information
            LSASS Memory1
            Account Discovery
            Remote Desktop Protocol21
            Input Capture
            11
            Encrypted Channel
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
            Valid Accounts
            2
            Obfuscated Files or Information
            Security Account Manager2
            File and Directory Discovery
            SMB/Windows Admin Shares3
            Clipboard Data
            2
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation
            1
            DLL Side-Loading
            NTDS126
            System Information Discovery
            Distributed Component Object ModelInput Capture13
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection
            1
            Masquerading
            LSA Secrets221
            Security Software Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Valid Accounts
            Cached Domain Credentials111
            Virtualization/Sandbox Evasion
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
            Virtualization/Sandbox Evasion
            DCSync2
            Process Discovery
            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation
            Proc Filesystem11
            Application Window Discovery
            Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
            Process Injection
            /etc/passwd and /etc/shadow1
            System Owner/User Discovery
            Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Network Configuration Discovery
            Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            v3tK92KcJV.exe69%VirustotalBrowse
            v3tK92KcJV.exe68%ReversingLabsWin32.Trojan.AutoitInject
            v3tK92KcJV.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            104.21.16.1
            truefalse
              high
              checkip.dyndns.com
              132.226.247.73
              truefalse
                high
                53.210.109.20.in-addr.arpa
                unknown
                unknowntrue
                  unknown
                  checkip.dyndns.org
                  unknown
                  unknownfalse
                    high
                    171.39.242.20.in-addr.arpa
                    unknown
                    unknownfalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        high
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          high
                          NameSourceMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.1507961295.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.1507961295.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://checkip.dyndns.comRegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.1507961295.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://checkip.dyndns.org/qv3tK92KcJV.exe, 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                    high
                                    https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000002.00000002.1507961295.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.1507961295.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EB3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://reallyfreegeoip.org/xml/v3tK92KcJV.exe, 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1507961295.0000000002DC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs
                                          IPDomainCountryFlagASNASN NameMalicious
                                          104.21.16.1
                                          reallyfreegeoip.orgUnited States
                                          13335CLOUDFLARENETUSfalse
                                          132.226.247.73
                                          checkip.dyndns.comUnited States
                                          16989UTMEMUSfalse
                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1587811
                                          Start date and time:2025-01-10 18:10:30 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 4m 32s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:7
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:v3tK92KcJV.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:f6d76bf6feb1be1dc008241ebe7f1378d4125b9e60357485124b4af9748dce13.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@8/3@4/2
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 49
                                          • Number of non-executed functions: 301
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Stop behavior analysis, all processes terminated
                                          • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200, 20.242.39.171, 20.109.210.53, 4.245.163.56
                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target RegSvcs.exe, PID 7544 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                          TimeTypeDescription
                                          12:11:29API Interceptor76x Sleep call for process: RegSvcs.exe modified
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          104.21.16.1JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                          132.226.247.73MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          New Order-090125.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • checkip.dyndns.org/
                                          B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                          • checkip.dyndns.org/
                                          Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                          • checkip.dyndns.org/
                                          oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          checkip.dyndns.comr5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.8.169
                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.130.0
                                          MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 132.226.247.73
                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.247.73
                                          b5JCISnBV1.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 132.226.8.169
                                          ql8KpEHT7y.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.6.168
                                          8kDIr4ZdNj.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.6.168
                                          2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                          • 158.101.44.242
                                          tx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                          • 158.101.44.242
                                          reallyfreegeoip.orgr5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 104.21.80.1
                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 104.21.80.1
                                          zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.112.1
                                          MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.112.1
                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 104.21.96.1
                                          b5JCISnBV1.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.16.1
                                          ql8KpEHT7y.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.96.1
                                          8kDIr4ZdNj.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.16.1
                                          2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                          • 104.21.16.1
                                          tx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                          • 104.21.32.1
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUSphish_alert_sp2_2.0.0.0 (1).emlGet hashmaliciousUnknownBrowse
                                          • 104.18.32.25
                                          4sfN3Gx1vO.exeGet hashmaliciousFormBookBrowse
                                          • 104.21.64.1
                                          smQoKNkwB7.exeGet hashmaliciousFormBookBrowse
                                          • 104.21.18.171
                                          https://www.shinsengumiusa.com/mrloskieGet hashmaliciousUnknownBrowse
                                          • 104.16.79.73
                                          qlG7x91YXH.exeGet hashmaliciousFormBookBrowse
                                          • 104.21.80.1
                                          44742054371077666.jsGet hashmaliciousStrela DownloaderBrowse
                                          • 172.64.41.3
                                          http://atozpdfbooks.comGet hashmaliciousUnknownBrowse
                                          • 104.17.25.14
                                          http://infarmbureau.comGet hashmaliciousUnknownBrowse
                                          • 104.16.40.28
                                          r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 104.21.80.1
                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 104.21.80.1
                                          UTMEMUSr5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.8.169
                                          MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 132.226.247.73
                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.247.73
                                          b5JCISnBV1.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 132.226.8.169
                                          New Order-090125.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 132.226.247.73
                                          B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.247.73
                                          #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.247.73
                                          fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.247.73
                                          fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 132.226.8.169
                                          1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                          • 132.226.247.73
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          54328bd36c14bd82ddaa0c04b25ed9adr5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 104.21.16.1
                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 104.21.16.1
                                          zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.16.1
                                          MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.16.1
                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 104.21.16.1
                                          b5JCISnBV1.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.16.1
                                          ql8KpEHT7y.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.16.1
                                          8kDIr4ZdNj.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.16.1
                                          2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                          • 104.21.16.1
                                          tx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                          • 104.21.16.1
                                          No context
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1039
                                          Entropy (8bit):5.353332853270839
                                          Encrypted:false
                                          SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                                          MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                                          SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                                          SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                                          SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e
                                          Process:C:\Users\user\Desktop\v3tK92KcJV.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):81124
                                          Entropy (8bit):7.823626347983956
                                          Encrypted:false
                                          SSDEEP:1536:2QQlKgH3GZXMJbuFzkLG0bGOtynD6maQ4am+T6fXXPeTkGshB9uwUtIiIHvtfXGn:ylKH8JbueLGwQ6bQk+T6fnPeQhBUFtqC
                                          MD5:88B350AB9D0CB8BBFCE7A72634384509
                                          SHA1:513D48F7AA55C50AC8BE0AA9B03B937CB7287732
                                          SHA-256:EBD477B7C67B81D9F536E3BBAD6F3704FF2452FC3634E79827229C7833E322FD
                                          SHA-512:A01BCFBB7E31D0DF0D23A21F518C440EC341BA78F4D49989CA8A7F72F9F7600B51EC066E9BEAAE2E511AB349638319A016E628AFFE8CF0DB47D4D90292823520
                                          Malicious:false
                                          Reputation:low
                                          Preview:EA06.........".C.Rf4M..A....@...D..j@.....}\@..W..f...&...Cs....:..&...g%..*.z..ad...S..) .. .....'..TI.:....$2cD.Qh..]..%.`..M.O...%.aD......U......0.....(.f)s.%..#3...J)....cP.C..JL..D...5....1...gg.m.....(...`...Q.5.....3..h.....,.Z.h.....w@..0.j .f7..%.........jwB.I...........p.g.t..`....[=...s..L.@...f.9....0...)[.$...6..(.K-....S.sp.C.D...V.u.....tf.:f.....{...R&tz...I.$......Zb.s......d.0..e...(.0.........@.....aZ.<.2.g..)3.u..G.....L......Z_J...N.TJ%;.C.R)s..&cN.Q.....C.P.4.%..2....J`..n..j;j..iI.J...J...L.3....E..T......_7uJ.".X.Z.4n%4. .Ff..L.l..h5.........X.....l....L.P..}T.`.T.V..1.[......8X. ..D...y...D..o...ZiI....<..H......uS.l,t.L.....05K...F.Kh.J<..R.Rmy@...$..j..-.i7..(..<.j..D.v.%..F.T.T...i...h.....c..(.....g.M)3{...T.$@.....D.....iO....e".....4J5..<..H.jm2..0.......&@...mE.S......"..S..}..J.O.....#Q..sJh. .`O.....cF..e.....6.n...u..j..)<....C...H2.`v..)....@^i.[..L.B7JT..Y......Q....L...H.#i........k..H.....:.f.G.s.-.LJ.J..
                                          Process:C:\Users\user\Desktop\v3tK92KcJV.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):133632
                                          Entropy (8bit):6.786671083285029
                                          Encrypted:false
                                          SSDEEP:3072:RZjH/AqQM2DBflXxKog4Vy9Ei0cI8BhtNNfgID/4Q55V:lAg4Vyd0cI8/NfgID/75D
                                          MD5:3CB86DAD2CD2AC0EF6D0FF35D9F66F8A
                                          SHA1:6A2642F0666D7015E92BCB532735B431C58B8F0A
                                          SHA-256:6E59726159532E11B936257B9F9EEDA8C86BB6F8B4FF3516A503DD54DE2CFFB1
                                          SHA-512:AAF50E777530C6EBD4D1AC47905543BE303D8FD1CF4A99D3F9829437E7121109AFE789EC57CB81D45053B96DE5798BD3EA46283F3220180AA17611437BA9041B
                                          Malicious:false
                                          Reputation:low
                                          Preview:...AQHOC0I1D..EA.HOC4I1D.DEARHOC4I1DDDEARHOC4I1DDDEARHOC4I1D.DEA\W.M4.8.e.D..i.+]:.46+"33%o U'_+0d'$r::-. _d...a?'+&.D<N`DEARHOCd.1D.EFA.e.%4I1DDDEA.HMB?HaDD.DAR\OC4I1D.VGARhOC4i3DDD.ARhOC4K1D@DEARHOC0I1DDDEAR(MC4K1DDDEAPH..4I!DDTEARH_C4Y1DDDEABHOC4I1DDDEA>ZMC{I1DDdGA.XOC4I1DDDEARHOC4I1DD.GA^HOC4I1DDDEARHOC4I1DDDEARHOC4I1DDDEARHOC4I1DDDEARHOC4i1DLDEARHOC4I1DLdEA.HOC4I1DDDEA|<*;@I1D..DARhOC4.0DDFEARHOC4I1DDDEArHO#.;B6'DEA.XOC4i3DDVEAR.NC4I1DDDEARHOCtI1.j6 -=+OC8I1DD.GARJOC4A3DDDEARHOC4I1D.DE.RHOC4I1DDDEARHOC.[3DDDEA.HOC6I4D.eDA..OC7I1D.DEG.hNC.I1DDDEARHOC4I1DDDEARHOC4I1DDDEARHOC4I1DDDEA.5.L...-7.ARHOC4H3G@BMIRHOC4I1D:DEA.HOCtI1DsDEAwHOCYI1D`DEA,HOCJI1D DEA HOCUI1D.DEA=HOCZI1D:DEALJgc4I;nbDGisHOI4c.7fDEK.IOC0:.DDN.CRHK0.I1N.GEAV;jC4C.@DDA2tHOI.L1D@n.AQ.YE4I*+}DEKRK.V2I1_nbECzrOC>I.bDG.TTHOX.k1F.MEAVb.0)I1Bl.EAX<FC4K.NDDAkLJg.4I;nf:UARLdC.kOUDDAjRbm=&I1@oDoc,[OC0b1nf:QARLdC.W3.PDEExj1V4I5oDng?DHOG.I.f:SEAVcOi*K.SDDAkTb-CFp-D4G*.RHIk.I1Nl$EATHey47.DD@G..HOI.coDFlF@RBOA74.DD@GE/.OC0cgDF?|A
                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):6.8768446009150725
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:v3tK92KcJV.exe
                                          File size:1'059'840 bytes
                                          MD5:746eef70bac7aba1b57e9821e5d3010f
                                          SHA1:253b25f0fa35132910a026abe1bd18c58b9a2145
                                          SHA256:f6d76bf6feb1be1dc008241ebe7f1378d4125b9e60357485124b4af9748dce13
                                          SHA512:92bd305113d6f9538e7ddafd6cb931c74feed87051cb6ef60ed342b8f83dba5dd52be417805e898fd2a1110725dca8865ee24846d9ae75bcd697b72a79c8beb2
                                          SSDEEP:24576:LqDEvCTbMWu7rQYlBQcBiT6rprG8aHRk:LTvC/MTQYxsWR7aH
                                          TLSH:7E35BF0273D1D062FFAB92334B5AF6115BBC69260123E62F13981DB9BD705B1463E7A3
                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....
                                          Icon Hash:aaf3e3e3938382a0
                                          Entrypoint:0x420577
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6762B508 [Wed Dec 18 11:42:00 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:5
                                          OS Version Minor:1
                                          File Version Major:5
                                          File Version Minor:1
                                          Subsystem Version Major:5
                                          Subsystem Version Minor:1
                                          Import Hash:948cc502fe9226992dce9417f952fce3
                                          Instruction
                                          call 00007F92C4C1A6C3h
                                          jmp 00007F92C4C19FCFh
                                          push ebp
                                          mov ebp, esp
                                          push esi
                                          push dword ptr [ebp+08h]
                                          mov esi, ecx
                                          call 00007F92C4C1A1ADh
                                          mov dword ptr [esi], 0049FDF0h
                                          mov eax, esi
                                          pop esi
                                          pop ebp
                                          retn 0004h
                                          and dword ptr [ecx+04h], 00000000h
                                          mov eax, ecx
                                          and dword ptr [ecx+08h], 00000000h
                                          mov dword ptr [ecx+04h], 0049FDF8h
                                          mov dword ptr [ecx], 0049FDF0h
                                          ret
                                          push ebp
                                          mov ebp, esp
                                          push esi
                                          push dword ptr [ebp+08h]
                                          mov esi, ecx
                                          call 00007F92C4C1A17Ah
                                          mov dword ptr [esi], 0049FE0Ch
                                          mov eax, esi
                                          pop esi
                                          pop ebp
                                          retn 0004h
                                          and dword ptr [ecx+04h], 00000000h
                                          mov eax, ecx
                                          and dword ptr [ecx+08h], 00000000h
                                          mov dword ptr [ecx+04h], 0049FE14h
                                          mov dword ptr [ecx], 0049FE0Ch
                                          ret
                                          push ebp
                                          mov ebp, esp
                                          push esi
                                          mov esi, ecx
                                          lea eax, dword ptr [esi+04h]
                                          mov dword ptr [esi], 0049FDD0h
                                          and dword ptr [eax], 00000000h
                                          and dword ptr [eax+04h], 00000000h
                                          push eax
                                          mov eax, dword ptr [ebp+08h]
                                          add eax, 04h
                                          push eax
                                          call 00007F92C4C1CD6Dh
                                          pop ecx
                                          pop ecx
                                          mov eax, esi
                                          pop esi
                                          pop ebp
                                          retn 0004h
                                          lea eax, dword ptr [ecx+04h]
                                          mov dword ptr [ecx], 0049FDD0h
                                          push eax
                                          call 00007F92C4C1CDB8h
                                          pop ecx
                                          ret
                                          push ebp
                                          mov ebp, esp
                                          push esi
                                          mov esi, ecx
                                          lea eax, dword ptr [esi+04h]
                                          mov dword ptr [esi], 0049FDD0h
                                          push eax
                                          call 00007F92C4C1CDA1h
                                          test byte ptr [ebp+08h], 00000001h
                                          pop ecx
                                          Programming Language:
                                          • [ C ] VS2008 SP1 build 30729
                                          • [IMP] VS2008 SP1 build 30729
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x2c124.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1010000x7594.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0xd40000x2c1240x2c2009c952c929744b5dbecfc850e77982ae8False0.8506440332861189data7.69250550502153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x1010000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                          RT_RCDATA0xdc7b80x233e9data1.0003532810107993
                                          RT_GROUP_ICON0xffba40x76dataEnglishGreat Britain0.6610169491525424
                                          RT_GROUP_ICON0xffc1c0x14dataEnglishGreat Britain1.25
                                          RT_GROUP_ICON0xffc300x14dataEnglishGreat Britain1.15
                                          RT_GROUP_ICON0xffc440x14dataEnglishGreat Britain1.25
                                          RT_VERSION0xffc580xdcdataEnglishGreat Britain0.6181818181818182
                                          RT_MANIFEST0xffd340x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                          DLLImport
                                          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                          PSAPI.DLLGetProcessMemoryInfo
                                          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                          UxTheme.dllIsThemeActive
                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture
                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishGreat Britain
                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2025-01-10T18:11:29.033367+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949757132.226.247.7380TCP
                                          2025-01-10T18:11:30.564570+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949757132.226.247.7380TCP
                                          2025-01-10T18:11:31.124953+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949774104.21.16.1443TCP
                                          2025-01-10T18:11:31.877122+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949780132.226.247.7380TCP
                                          2025-01-10T18:11:32.471770+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949786104.21.16.1443TCP
                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 10, 2025 18:11:28.074700117 CET4975780192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:28.080638885 CET8049757132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:28.080847979 CET4975780192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:28.081033945 CET4975780192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:28.085936069 CET8049757132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:28.760343075 CET8049757132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:28.768863916 CET4975780192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:28.774692059 CET8049757132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:28.978121042 CET8049757132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:29.033366919 CET4975780192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:29.081830025 CET49763443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:29.081870079 CET44349763104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:29.082063913 CET49763443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:29.185344934 CET49763443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:29.185369968 CET44349763104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:29.664630890 CET44349763104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:29.664737940 CET49763443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:29.670675039 CET49763443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:29.670697927 CET44349763104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:29.671125889 CET44349763104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:29.720834017 CET49763443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:30.153039932 CET49763443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:30.195344925 CET44349763104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:30.271411896 CET44349763104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:30.271480083 CET44349763104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:30.271536112 CET49763443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:30.298350096 CET49763443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:30.302980900 CET4975780192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:30.307821035 CET8049757132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:30.512279034 CET8049757132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:30.518922091 CET49774443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:30.518961906 CET44349774104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:30.519058943 CET49774443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:30.519423008 CET49774443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:30.519449949 CET44349774104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:30.564569950 CET4975780192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:30.982558012 CET44349774104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:30.986392021 CET49774443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:30.986407995 CET44349774104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:31.124963045 CET44349774104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:31.125031948 CET44349774104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:31.125121117 CET49774443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:31.125565052 CET49774443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:31.129662991 CET4975780192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:31.130940914 CET4978080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:31.134727955 CET8049757132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:31.134790897 CET4975780192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:31.135904074 CET8049780132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:31.135972977 CET4978080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:31.136092901 CET4978080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:31.140840054 CET8049780132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:31.828016996 CET8049780132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:31.829157114 CET49786443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:31.829209089 CET44349786104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:31.829282045 CET49786443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:31.829500914 CET49786443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:31.829518080 CET44349786104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:31.877121925 CET4978080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:32.299103022 CET44349786104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:32.305121899 CET49786443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:32.305161953 CET44349786104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:32.471792936 CET44349786104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:32.471857071 CET44349786104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:32.471951962 CET49786443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:32.511324883 CET49786443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:32.530970097 CET4979080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:32.536102057 CET8049790132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:32.536156893 CET4979080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:32.536268950 CET4979080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:32.540992022 CET8049790132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:33.240595102 CET8049790132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:33.241898060 CET49793443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:33.241956949 CET44349793104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:33.242033958 CET49793443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:33.242281914 CET49793443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:33.242311001 CET44349793104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:33.283349037 CET4979080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:33.716589928 CET44349793104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:33.718156099 CET49793443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:33.718185902 CET44349793104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:33.873406887 CET44349793104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:33.873475075 CET44349793104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:33.873539925 CET49793443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:33.874192953 CET49793443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:33.877860069 CET4979080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:33.879143000 CET4979980192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:33.882792950 CET8049790132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:33.882873058 CET4979080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:33.883960962 CET8049799132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:33.884079933 CET4979980192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:33.884239912 CET4979980192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:33.889014006 CET8049799132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:34.575445890 CET8049799132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:34.576994896 CET49805443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:34.577053070 CET44349805104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:34.577272892 CET49805443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:34.577425003 CET49805443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:34.577445984 CET44349805104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:34.627209902 CET4979980192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:35.041553020 CET44349805104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:35.043461084 CET49805443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:35.043488979 CET44349805104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:35.196225882 CET44349805104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:35.196293116 CET44349805104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:35.196454048 CET49805443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:35.197325945 CET49805443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:35.280177116 CET4979980192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:35.280798912 CET4981180192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:35.286406994 CET8049799132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:35.286719084 CET8049811132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:35.286777020 CET4979980192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:35.286806107 CET4981180192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:35.291589975 CET4981180192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:35.297533035 CET8049811132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:35.966720104 CET8049811132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:35.968174934 CET49817443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:35.968223095 CET44349817104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:35.968302965 CET49817443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:35.968571901 CET49817443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:35.968585014 CET44349817104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:36.017739058 CET4981180192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:36.439404011 CET44349817104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:36.441227913 CET49817443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:36.441267014 CET44349817104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:36.595854044 CET44349817104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:36.595926046 CET44349817104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:36.596009016 CET49817443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:36.596591949 CET49817443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:36.599992037 CET4981180192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:36.600739956 CET4982380192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:36.605690956 CET8049811132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:36.606120110 CET8049823132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:36.606240988 CET4982380192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:36.606251955 CET4981180192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:36.606432915 CET4982380192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:36.611881971 CET8049823132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:37.279310942 CET8049823132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:37.280884981 CET49829443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:37.280926943 CET44349829104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:37.281497955 CET49829443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:37.281727076 CET49829443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:37.281744957 CET44349829104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:37.330230951 CET4982380192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:37.764098883 CET44349829104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:37.765676975 CET49829443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:37.765713930 CET44349829104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:37.912122965 CET44349829104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:37.912184954 CET44349829104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:37.912256956 CET49829443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:37.912746906 CET49829443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:37.917108059 CET4982380192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:37.917701006 CET4983280192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:37.922219992 CET8049823132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:37.922339916 CET4982380192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:37.922631025 CET8049832132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:37.922723055 CET4983280192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:37.922832966 CET4983280192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:37.927567959 CET8049832132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:38.613615036 CET8049832132.226.247.73192.168.2.9
                                          Jan 10, 2025 18:11:38.615124941 CET49837443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:38.615163088 CET44349837104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:38.615225077 CET49837443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:38.615957022 CET49837443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:38.615968943 CET44349837104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:38.658358097 CET4983280192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:39.072017908 CET44349837104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:39.073802948 CET49837443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:39.073824883 CET44349837104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:39.232119083 CET44349837104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:39.232191086 CET44349837104.21.16.1192.168.2.9
                                          Jan 10, 2025 18:11:39.232242107 CET49837443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:39.232866049 CET49837443192.168.2.9104.21.16.1
                                          Jan 10, 2025 18:11:39.433090925 CET4983280192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:39.433161020 CET4978080192.168.2.9132.226.247.73
                                          Jan 10, 2025 18:11:55.103538036 CET5530253192.168.2.9162.159.36.2
                                          Jan 10, 2025 18:11:55.108434916 CET5355302162.159.36.2192.168.2.9
                                          Jan 10, 2025 18:11:55.108524084 CET5530253192.168.2.9162.159.36.2
                                          Jan 10, 2025 18:11:55.113527060 CET5355302162.159.36.2192.168.2.9
                                          Jan 10, 2025 18:11:55.575740099 CET5530253192.168.2.9162.159.36.2
                                          Jan 10, 2025 18:11:55.580832958 CET5355302162.159.36.2192.168.2.9
                                          Jan 10, 2025 18:11:55.580887079 CET5530253192.168.2.9162.159.36.2
                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 10, 2025 18:11:28.062705040 CET6252653192.168.2.91.1.1.1
                                          Jan 10, 2025 18:11:28.069660902 CET53625261.1.1.1192.168.2.9
                                          Jan 10, 2025 18:11:29.071383953 CET6383853192.168.2.91.1.1.1
                                          Jan 10, 2025 18:11:29.080396891 CET53638381.1.1.1192.168.2.9
                                          Jan 10, 2025 18:11:55.102951050 CET5363922162.159.36.2192.168.2.9
                                          Jan 10, 2025 18:11:55.590008020 CET6419553192.168.2.91.1.1.1
                                          Jan 10, 2025 18:11:55.596801043 CET53641951.1.1.1192.168.2.9
                                          Jan 10, 2025 18:11:56.738717079 CET5221353192.168.2.91.1.1.1
                                          Jan 10, 2025 18:11:56.745785952 CET53522131.1.1.1192.168.2.9
                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jan 10, 2025 18:11:28.062705040 CET192.168.2.91.1.1.10xdc79Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:29.071383953 CET192.168.2.91.1.1.10xa550Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:55.590008020 CET192.168.2.91.1.1.10x6065Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                          Jan 10, 2025 18:11:56.738717079 CET192.168.2.91.1.1.10xf6caStandard query (0)53.210.109.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jan 10, 2025 18:11:28.069660902 CET1.1.1.1192.168.2.90xdc79No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                          Jan 10, 2025 18:11:28.069660902 CET1.1.1.1192.168.2.90xdc79No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:28.069660902 CET1.1.1.1192.168.2.90xdc79No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:28.069660902 CET1.1.1.1192.168.2.90xdc79No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:28.069660902 CET1.1.1.1192.168.2.90xdc79No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:28.069660902 CET1.1.1.1192.168.2.90xdc79No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:29.080396891 CET1.1.1.1192.168.2.90xa550No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:29.080396891 CET1.1.1.1192.168.2.90xa550No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:29.080396891 CET1.1.1.1192.168.2.90xa550No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:29.080396891 CET1.1.1.1192.168.2.90xa550No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:29.080396891 CET1.1.1.1192.168.2.90xa550No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:29.080396891 CET1.1.1.1192.168.2.90xa550No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:29.080396891 CET1.1.1.1192.168.2.90xa550No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                          Jan 10, 2025 18:11:55.596801043 CET1.1.1.1192.168.2.90x6065Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                          Jan 10, 2025 18:11:56.745785952 CET1.1.1.1192.168.2.90xf6caName error (3)53.210.109.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                          • reallyfreegeoip.org
                                          • checkip.dyndns.org
                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.949757132.226.247.73807544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 10, 2025 18:11:28.081033945 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 10, 2025 18:11:28.760343075 CET273INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:28 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                          Jan 10, 2025 18:11:28.768863916 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 10, 2025 18:11:28.978121042 CET273INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:28 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                          Jan 10, 2025 18:11:30.302980900 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 10, 2025 18:11:30.512279034 CET273INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:30 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.949780132.226.247.73807544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 10, 2025 18:11:31.136092901 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 10, 2025 18:11:31.828016996 CET273INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:31 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.949790132.226.247.73807544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 10, 2025 18:11:32.536268950 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 10, 2025 18:11:33.240595102 CET273INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:33 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.949799132.226.247.73807544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 10, 2025 18:11:33.884239912 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 10, 2025 18:11:34.575445890 CET273INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:34 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.949811132.226.247.73807544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 10, 2025 18:11:35.291589975 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 10, 2025 18:11:35.966720104 CET273INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:35 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.949823132.226.247.73807544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 10, 2025 18:11:36.606432915 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 10, 2025 18:11:37.279310942 CET273INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:37 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.949832132.226.247.73807544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 10, 2025 18:11:37.922832966 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 10, 2025 18:11:38.613615036 CET273INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:38 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.949763104.21.16.14437544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-10 17:11:30 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-10 17:11:30 UTC857INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:30 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1843879
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I%2FC1tj2WNHW51Ww1hEOxz3qjyZzTVsNxFlHlLLpuJxc5pMvcCfV7YBTfgkchlH4Zm7PqoOedQKUMjm5wJtW5HGe%2FeUIiGDdSvqt82PteAc8CK%2BG5dKYA3P%2BzJP78YsCUV2Us90Xm"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8ffe495dcf284388-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1546&rtt_var=597&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1806930&cwnd=221&unsent_bytes=0&cid=aa1a070b03494bd1&ts=620&x=0"
                                          2025-01-10 17:11:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.949774104.21.16.14437544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-10 17:11:30 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2025-01-10 17:11:31 UTC855INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:31 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1843880
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xffIgW6bOyMxaAVzBL6FexffUGFpH1RvhmbQUHzpnWHQGvCA10zuwIwOCcK70Yn5A%2BGv3H2BaWSnxR581LAkK317D1oxGN%2BZr1osQn6Gj6hyIaO7nBXEzsVue48BlVWyI52LV%2BwI"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8ffe49632e867293-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=2038&min_rtt=1956&rtt_var=792&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1492842&cwnd=158&unsent_bytes=0&cid=38b3d9aaf55c42a8&ts=151&x=0"
                                          2025-01-10 17:11:31 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.949786104.21.16.14437544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-10 17:11:32 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2025-01-10 17:11:32 UTC855INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:32 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1843881
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FfhDKiTA8538RGWG8PtoNuvKJM0liO7h7wzLMcOx%2BS6YyPpSspBaj2jBXDE0TdPbcnsVtNaogPaWl5ebBD%2Btk39lgI1BvmwkJgG6iEiYW9bBAw4ps00eJMvxZ5kMXlSP1fAJDx3G"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8ffe496b79c54388-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1584&rtt_var=636&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1663817&cwnd=221&unsent_bytes=0&cid=a40d15a9184b6ebf&ts=163&x=0"
                                          2025-01-10 17:11:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.949793104.21.16.14437544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-10 17:11:33 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-10 17:11:33 UTC857INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:33 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1843882
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bSr%2F%2BNpPGNE4dWcb7ylpRV9UK%2FhA0mEqpQYDaJaQpUD85Tig9s5UnnmaXfcRfdqb9NVMZ5N93Y8luU4QgNrKJ2ciwglOiJuQPtHGWdsEOKEDxhGjs6G%2BCFBrxY0zmtCryBjAsHvl"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8ffe49743f711899-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1645&rtt_var=652&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1635854&cwnd=153&unsent_bytes=0&cid=01ef61cc854179ee&ts=149&x=0"
                                          2025-01-10 17:11:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.949805104.21.16.14437544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-10 17:11:35 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-10 17:11:35 UTC851INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:35 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1843884
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n4kI1s9SQi7dQ6SzfC01y5psOye3YAJb2wVUqKAggCY1w2F3tG0UwB54c5hEf%2BFQKQCRGPs2bQqZ4DCa5WXw3Kk9JL2GvMS2gg4teylTNc0Sq390u7spoC3ZvXuwiImKtkT3D4qd"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8ffe497c9d6d7293-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1921&min_rtt=1917&rtt_var=728&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1494370&cwnd=158&unsent_bytes=0&cid=6ca839374efe93da&ts=159&x=0"
                                          2025-01-10 17:11:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.949817104.21.16.14437544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-10 17:11:36 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-10 17:11:36 UTC857INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:36 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1843885
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JPK69K9kx%2FDOmBouTts7RZ6a8VPz05oZF3lYLcywr5yYlAU7Cg4JyruGVVLcaQ7zTLgFvMC2ALrgRlMeD63TUIGXyoE%2F%2BI6uFVCDYrSWIIEWT57wm0DAB9WKKL7lyMvmDEK%2FD6we"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8ffe498559cd1899-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1972&min_rtt=1671&rtt_var=841&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1747456&cwnd=153&unsent_bytes=0&cid=15dc9072258caf4e&ts=160&x=0"
                                          2025-01-10 17:11:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.949829104.21.16.14437544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-10 17:11:37 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-10 17:11:37 UTC853INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:37 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1843886
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xMnI2KVGy3zeXr93F80Zk1VMerO9GoknlBp9l2H2O4R61PvztJ5%2FEv12XwX0koFVr6ZaevQDoSiAtpOfeehwoqOSxb3%2Bl9QX55ju3i3GxhFekAzFRP9g2gswPGyEASvgKkUjbPnr"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8ffe498d8dc38ce3-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1858&min_rtt=1830&rtt_var=742&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1420924&cwnd=252&unsent_bytes=0&cid=93ce505402f7c1ac&ts=155&x=0"
                                          2025-01-10 17:11:37 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.949837104.21.16.14437544C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-10 17:11:39 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-10 17:11:39 UTC855INHTTP/1.1 200 OK
                                          Date: Fri, 10 Jan 2025 17:11:39 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1843888
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S56nIam8sSAvkl6Q5VNOAPOyAcXQZyfpeDBBY4f9ZIZevAVJCS86LTB3ChLHtPcy%2FU6TSmDYQS%2BdnhsfEU9nuZiDuMVtwXYEWLorBogNWVcjBjv87lNILqIsTxRJUp5GH6vii%2FpC"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8ffe4995cb250fa8-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1505&min_rtt=1495&rtt_var=582&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1845764&cwnd=252&unsent_bytes=0&cid=4e1b421ea2ce6ec2&ts=166&x=0"
                                          2025-01-10 17:11:39 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Click to jump to process

                                          Click to jump to process

                                          Click to dive into process behavior distribution

                                          Click to jump to process

                                          Target ID:0
                                          Start time:12:11:23
                                          Start date:10/01/2025
                                          Path:C:\Users\user\Desktop\v3tK92KcJV.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\v3tK92KcJV.exe"
                                          Imagebase:0x6d0000
                                          File size:1'059'840 bytes
                                          MD5 hash:746EEF70BAC7ABA1B57E9821E5D3010F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1390053317.0000000001D50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:true

                                          Target ID:2
                                          Start time:12:11:25
                                          Start date:10/01/2025
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\v3tK92KcJV.exe"
                                          Imagebase:0xa40000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.1506678645.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1507961295.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          Target ID:3
                                          Start time:12:11:38
                                          Start date:10/01/2025
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0xc50000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:4
                                          Start time:12:11:38
                                          Start date:10/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff70f010000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:5
                                          Start time:12:11:38
                                          Start date:10/01/2025
                                          Path:C:\Windows\SysWOW64\choice.exe
                                          Wow64 process (32bit):true
                                          Commandline:choice /C Y /N /D Y /T 3
                                          Imagebase:0xbe0000
                                          File size:28'160 bytes
                                          MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:3.3%
                                            Dynamic/Decrypted Code Coverage:0.5%
                                            Signature Coverage:4.9%
                                            Total number of Nodes:1992
                                            Total number of Limit Nodes:71
                                            execution_graph 95365 6d1cad SystemParametersInfoW 95366 723f75 95377 6eceb1 95366->95377 95368 723f8b 95369 724006 95368->95369 95444 6ee300 23 API calls 95368->95444 95386 6dbf40 95369->95386 95372 723fe6 95374 724052 95372->95374 95445 741abf 22 API calls 95372->95445 95375 724a88 95374->95375 95446 74359c 82 API calls __wsopen_s 95374->95446 95378 6ecebf 95377->95378 95379 6eced2 95377->95379 95447 6daceb 95378->95447 95380 6eced7 95379->95380 95381 6ecf05 95379->95381 95457 6efddb 95380->95457 95384 6daceb 23 API calls 95381->95384 95385 6ecec9 95384->95385 95385->95368 95497 6dadf0 95386->95497 95388 6dbf9d 95389 7204b6 95388->95389 95390 6dbfa9 95388->95390 95525 74359c 82 API calls __wsopen_s 95389->95525 95392 6dc01e 95390->95392 95393 7204c6 95390->95393 95502 6dac91 95392->95502 95526 74359c 82 API calls __wsopen_s 95393->95526 95396 7204f5 95414 72055a 95396->95414 95527 6ed217 235 API calls 95396->95527 95398 737120 22 API calls 95406 6dc039 __fread_nolock messages 95398->95406 95399 6dc7da 95402 6efe0b 22 API calls 95399->95402 95408 6dc808 __fread_nolock 95402->95408 95406->95396 95406->95398 95406->95399 95407 6efddb 22 API calls 95406->95407 95406->95408 95410 6daf8a 22 API calls 95406->95410 95411 72091a 95406->95411 95406->95414 95415 6dec40 235 API calls 95406->95415 95416 7208a5 95406->95416 95420 720591 95406->95420 95424 7208f6 95406->95424 95426 6dc237 95406->95426 95427 6daceb 23 API calls 95406->95427 95430 6dc603 95406->95430 95436 7209bf 95406->95436 95439 6dbbe0 40 API calls 95406->95439 95442 6efe0b 22 API calls 95406->95442 95506 6dad81 95406->95506 95530 737099 22 API calls __fread_nolock 95406->95530 95531 755745 54 API calls _wcslen 95406->95531 95532 6eaa42 22 API calls messages 95406->95532 95533 73f05c 40 API calls 95406->95533 95534 6da993 41 API calls 95406->95534 95407->95406 95409 6efe0b 22 API calls 95408->95409 95441 6dc350 __fread_nolock messages 95409->95441 95410->95406 95561 743209 23 API calls 95411->95561 95414->95430 95528 74359c 82 API calls __wsopen_s 95414->95528 95415->95406 95535 6dec40 95416->95535 95418 7208cf 95418->95430 95559 6da81b 41 API calls 95418->95559 95529 74359c 82 API calls __wsopen_s 95420->95529 95560 74359c 82 API calls __wsopen_s 95424->95560 95428 6dc253 95426->95428 95429 6da8c7 22 API calls 95426->95429 95427->95406 95432 720976 95428->95432 95434 6dc297 messages 95428->95434 95429->95428 95430->95374 95433 6daceb 23 API calls 95432->95433 95433->95436 95435 6daceb 23 API calls 95434->95435 95434->95436 95437 6dc335 95435->95437 95436->95430 95562 74359c 82 API calls __wsopen_s 95436->95562 95437->95436 95438 6dc342 95437->95438 95513 6da704 95438->95513 95439->95406 95443 6dc3ac 95441->95443 95524 6ece17 22 API calls messages 95441->95524 95442->95406 95443->95374 95444->95372 95445->95369 95446->95375 95448 6dacf9 95447->95448 95452 6dad2a messages 95447->95452 95449 6dad01 messages 95448->95449 95450 6dad55 95448->95450 95449->95452 95453 6dad21 95449->95453 95454 71fa48 95449->95454 95450->95452 95467 6da8c7 95450->95467 95452->95385 95453->95452 95455 71fa3a VariantClear 95453->95455 95454->95452 95471 6ece17 22 API calls messages 95454->95471 95455->95452 95460 6efde0 95457->95460 95458 6fea0c ___std_exception_copy 21 API calls 95458->95460 95459 6efdfa 95459->95385 95460->95458 95460->95459 95462 6efdfc 95460->95462 95494 6f4ead 7 API calls 2 library calls 95460->95494 95463 6f066d 95462->95463 95495 6f32a4 RaiseException 95462->95495 95496 6f32a4 RaiseException 95463->95496 95466 6f068a 95466->95385 95468 6da8db 95467->95468 95470 6da8ea __fread_nolock 95467->95470 95468->95470 95472 6efe0b 95468->95472 95470->95452 95471->95452 95474 6efddb 95472->95474 95475 6efdfa 95474->95475 95477 6efdfc 95474->95477 95482 6fea0c 95474->95482 95489 6f4ead 7 API calls 2 library calls 95474->95489 95475->95470 95481 6f066d 95477->95481 95490 6f32a4 RaiseException 95477->95490 95480 6f068a 95480->95470 95491 6f32a4 RaiseException 95481->95491 95488 703820 __dosmaperr 95482->95488 95483 70385e 95493 6ff2d9 20 API calls __dosmaperr 95483->95493 95484 703849 RtlAllocateHeap 95486 70385c 95484->95486 95484->95488 95486->95474 95488->95483 95488->95484 95492 6f4ead 7 API calls 2 library calls 95488->95492 95489->95474 95490->95481 95491->95480 95492->95488 95493->95486 95494->95460 95495->95463 95496->95466 95498 6dae01 95497->95498 95501 6dae1c messages 95497->95501 95563 6daec9 95498->95563 95500 6dae09 CharUpperBuffW 95500->95501 95501->95388 95503 6dacae 95502->95503 95505 6dacd1 95503->95505 95569 74359c 82 API calls __wsopen_s 95503->95569 95505->95406 95507 71fadb 95506->95507 95508 6dad92 95506->95508 95509 6efddb 22 API calls 95508->95509 95510 6dad99 95509->95510 95570 6dadcd 95510->95570 95514 71f86f 95513->95514 95517 6da718 95513->95517 95515 71f87f 95514->95515 95594 734d4a 22 API calls messages 95514->95594 95518 6da746 95517->95518 95523 6da763 messages 95517->95523 95582 6daf8a 95517->95582 95519 6da74c 95518->95519 95521 6daf8a 22 API calls 95518->95521 95519->95523 95590 6db090 95519->95590 95521->95519 95523->95441 95524->95441 95525->95393 95526->95430 95527->95414 95528->95430 95529->95430 95530->95406 95531->95406 95532->95406 95533->95406 95534->95406 95556 6dec76 messages 95535->95556 95536 6f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95536->95556 95537 6f00a3 29 API calls pre_c_initialization 95537->95556 95538 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95538->95556 95539 6efddb 22 API calls 95539->95556 95541 6dfef7 95547 6da8c7 22 API calls 95541->95547 95553 6ded9d messages 95541->95553 95543 724b0b 95599 74359c 82 API calls __wsopen_s 95543->95599 95544 724600 95549 6da8c7 22 API calls 95544->95549 95544->95553 95547->95553 95548 6da8c7 22 API calls 95548->95556 95549->95553 95551 6dfbe3 95551->95553 95554 724bdc 95551->95554 95558 6df3ae messages 95551->95558 95552 6da961 22 API calls 95552->95556 95553->95418 95600 74359c 82 API calls __wsopen_s 95554->95600 95556->95536 95556->95537 95556->95538 95556->95539 95556->95541 95556->95543 95556->95544 95556->95548 95556->95551 95556->95552 95556->95553 95557 724beb 95556->95557 95556->95558 95596 6e01e0 235 API calls 2 library calls 95556->95596 95597 6e06a0 41 API calls messages 95556->95597 95601 74359c 82 API calls __wsopen_s 95557->95601 95558->95553 95598 74359c 82 API calls __wsopen_s 95558->95598 95559->95424 95560->95430 95561->95426 95562->95430 95564 6daedc 95563->95564 95568 6daed9 __fread_nolock 95563->95568 95565 6efddb 22 API calls 95564->95565 95566 6daee7 95565->95566 95567 6efe0b 22 API calls 95566->95567 95567->95568 95568->95500 95569->95505 95573 6daddd 95570->95573 95571 6dadb6 95571->95406 95572 6efddb 22 API calls 95572->95573 95573->95571 95573->95572 95575 6da8c7 22 API calls 95573->95575 95576 6dadcd 22 API calls 95573->95576 95577 6da961 95573->95577 95575->95573 95576->95573 95578 6efe0b 22 API calls 95577->95578 95579 6da976 95578->95579 95580 6efddb 22 API calls 95579->95580 95581 6da984 95580->95581 95581->95573 95583 6daf98 95582->95583 95589 6dafc0 messages 95582->95589 95584 6dafa6 95583->95584 95585 6daf8a 22 API calls 95583->95585 95586 6dafac 95584->95586 95587 6daf8a 22 API calls 95584->95587 95585->95584 95588 6db090 22 API calls 95586->95588 95586->95589 95587->95586 95588->95589 95589->95518 95591 6db09b messages 95590->95591 95593 6db0d6 messages 95591->95593 95595 6ece17 22 API calls messages 95591->95595 95593->95523 95594->95515 95595->95593 95596->95556 95597->95556 95598->95553 95599->95553 95600->95557 95601->95553 95602 6d1044 95607 6d10f3 95602->95607 95604 6d104a 95643 6f00a3 29 API calls __onexit 95604->95643 95606 6d1054 95644 6d1398 95607->95644 95611 6d116a 95612 6da961 22 API calls 95611->95612 95613 6d1174 95612->95613 95614 6da961 22 API calls 95613->95614 95615 6d117e 95614->95615 95616 6da961 22 API calls 95615->95616 95617 6d1188 95616->95617 95618 6da961 22 API calls 95617->95618 95619 6d11c6 95618->95619 95620 6da961 22 API calls 95619->95620 95621 6d1292 95620->95621 95654 6d171c 95621->95654 95625 6d12c4 95626 6da961 22 API calls 95625->95626 95627 6d12ce 95626->95627 95675 6e1940 95627->95675 95629 6d12f9 95685 6d1aab 95629->95685 95631 6d1315 95632 6d1325 GetStdHandle 95631->95632 95633 712485 95632->95633 95634 6d137a 95632->95634 95633->95634 95635 71248e 95633->95635 95637 6d1387 OleInitialize 95634->95637 95636 6efddb 22 API calls 95635->95636 95638 712495 95636->95638 95637->95604 95692 74011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 95638->95692 95640 71249e 95693 740944 CreateThread 95640->95693 95642 7124aa CloseHandle 95642->95634 95643->95606 95694 6d13f1 95644->95694 95647 6d13f1 22 API calls 95648 6d13d0 95647->95648 95649 6da961 22 API calls 95648->95649 95650 6d13dc 95649->95650 95701 6d6b57 95650->95701 95652 6d1129 95653 6d1bc3 6 API calls 95652->95653 95653->95611 95655 6da961 22 API calls 95654->95655 95656 6d172c 95655->95656 95657 6da961 22 API calls 95656->95657 95658 6d1734 95657->95658 95659 6da961 22 API calls 95658->95659 95660 6d174f 95659->95660 95661 6efddb 22 API calls 95660->95661 95662 6d129c 95661->95662 95663 6d1b4a 95662->95663 95664 6d1b58 95663->95664 95665 6da961 22 API calls 95664->95665 95666 6d1b63 95665->95666 95667 6da961 22 API calls 95666->95667 95668 6d1b6e 95667->95668 95669 6da961 22 API calls 95668->95669 95670 6d1b79 95669->95670 95671 6da961 22 API calls 95670->95671 95672 6d1b84 95671->95672 95673 6efddb 22 API calls 95672->95673 95674 6d1b96 RegisterWindowMessageW 95673->95674 95674->95625 95676 6e1981 95675->95676 95679 6e195d 95675->95679 95718 6f0242 5 API calls __Init_thread_wait 95676->95718 95684 6e196e 95679->95684 95720 6f0242 5 API calls __Init_thread_wait 95679->95720 95680 6e198b 95680->95679 95719 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95680->95719 95681 6e8727 95681->95684 95721 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95681->95721 95684->95629 95686 6d1abb 95685->95686 95687 71272d 95685->95687 95689 6efddb 22 API calls 95686->95689 95722 743209 23 API calls 95687->95722 95691 6d1ac3 95689->95691 95690 712738 95691->95631 95692->95640 95693->95642 95723 74092a 28 API calls 95693->95723 95695 6da961 22 API calls 95694->95695 95696 6d13fc 95695->95696 95697 6da961 22 API calls 95696->95697 95698 6d1404 95697->95698 95699 6da961 22 API calls 95698->95699 95700 6d13c6 95699->95700 95700->95647 95702 714ba1 95701->95702 95703 6d6b67 _wcslen 95701->95703 95714 6d93b2 95702->95714 95706 6d6b7d 95703->95706 95707 6d6ba2 95703->95707 95705 714baa 95705->95705 95713 6d6f34 22 API calls 95706->95713 95708 6efddb 22 API calls 95707->95708 95710 6d6bae 95708->95710 95712 6efe0b 22 API calls 95710->95712 95711 6d6b85 __fread_nolock 95711->95652 95712->95711 95713->95711 95715 6d93c9 __fread_nolock 95714->95715 95716 6d93c0 95714->95716 95715->95705 95716->95715 95717 6daec9 22 API calls 95716->95717 95717->95715 95718->95680 95719->95679 95720->95681 95721->95684 95722->95690 95724 1212288 95738 120fed8 95724->95738 95726 1212312 95741 1212178 95726->95741 95744 1213338 GetPEB 95738->95744 95740 1210563 95740->95726 95742 1212181 Sleep 95741->95742 95743 121218f 95742->95743 95745 1213362 95744->95745 95745->95740 95746 7090fa 95747 709107 95746->95747 95750 70911f 95746->95750 95803 6ff2d9 20 API calls __dosmaperr 95747->95803 95749 70910c 95804 7027ec 26 API calls pre_c_initialization 95749->95804 95752 70917a 95750->95752 95760 709117 95750->95760 95805 70fdc4 21 API calls 2 library calls 95750->95805 95766 6fd955 95752->95766 95755 709192 95773 708c32 95755->95773 95757 709199 95758 6fd955 __fread_nolock 26 API calls 95757->95758 95757->95760 95759 7091c5 95758->95759 95759->95760 95761 6fd955 __fread_nolock 26 API calls 95759->95761 95762 7091d3 95761->95762 95762->95760 95763 6fd955 __fread_nolock 26 API calls 95762->95763 95764 7091e3 95763->95764 95765 6fd955 __fread_nolock 26 API calls 95764->95765 95765->95760 95767 6fd976 95766->95767 95768 6fd961 95766->95768 95767->95755 95806 6ff2d9 20 API calls __dosmaperr 95768->95806 95770 6fd966 95807 7027ec 26 API calls pre_c_initialization 95770->95807 95772 6fd971 95772->95755 95774 708c3e ___scrt_is_nonwritable_in_current_image 95773->95774 95775 708c46 95774->95775 95776 708c5e 95774->95776 95874 6ff2c6 20 API calls __dosmaperr 95775->95874 95778 708d24 95776->95778 95782 708c97 95776->95782 95881 6ff2c6 20 API calls __dosmaperr 95778->95881 95779 708c4b 95875 6ff2d9 20 API calls __dosmaperr 95779->95875 95784 708ca6 95782->95784 95785 708cbb 95782->95785 95783 708d29 95882 6ff2d9 20 API calls __dosmaperr 95783->95882 95876 6ff2c6 20 API calls __dosmaperr 95784->95876 95808 705147 EnterCriticalSection 95785->95808 95789 708cb3 95883 7027ec 26 API calls pre_c_initialization 95789->95883 95790 708cab 95877 6ff2d9 20 API calls __dosmaperr 95790->95877 95791 708cc1 95792 708cf2 95791->95792 95793 708cdd 95791->95793 95809 708d45 95792->95809 95878 6ff2d9 20 API calls __dosmaperr 95793->95878 95795 708c53 __wsopen_s 95795->95757 95799 708ce2 95879 6ff2c6 20 API calls __dosmaperr 95799->95879 95800 708ced 95880 708d1c LeaveCriticalSection __wsopen_s 95800->95880 95803->95749 95804->95760 95805->95752 95806->95770 95807->95772 95808->95791 95810 708d57 95809->95810 95811 708d6f 95809->95811 95893 6ff2c6 20 API calls __dosmaperr 95810->95893 95812 7090d9 95811->95812 95817 708db4 95811->95817 95915 6ff2c6 20 API calls __dosmaperr 95812->95915 95814 708d5c 95894 6ff2d9 20 API calls __dosmaperr 95814->95894 95816 7090de 95916 6ff2d9 20 API calls __dosmaperr 95816->95916 95819 708d64 95817->95819 95821 708dbf 95817->95821 95827 708def 95817->95827 95819->95800 95895 6ff2c6 20 API calls __dosmaperr 95821->95895 95822 708dcc 95917 7027ec 26 API calls pre_c_initialization 95822->95917 95824 708dc4 95896 6ff2d9 20 API calls __dosmaperr 95824->95896 95828 708e08 95827->95828 95829 708e4a 95827->95829 95830 708e2e 95827->95830 95828->95830 95863 708e15 95828->95863 95900 703820 21 API calls __dosmaperr 95829->95900 95897 6ff2c6 20 API calls __dosmaperr 95830->95897 95832 708e33 95898 6ff2d9 20 API calls __dosmaperr 95832->95898 95836 708e61 95901 7029c8 95836->95901 95837 708e3a 95899 7027ec 26 API calls pre_c_initialization 95837->95899 95838 708fb3 95841 709029 95838->95841 95845 708fcc GetConsoleMode 95838->95845 95844 70902d ReadFile 95841->95844 95842 708e6a 95843 7029c8 _free 20 API calls 95842->95843 95846 708e71 95843->95846 95847 7090a1 GetLastError 95844->95847 95848 709047 95844->95848 95845->95841 95849 708fdd 95845->95849 95850 708e96 95846->95850 95851 708e7b 95846->95851 95852 709005 95847->95852 95853 7090ae 95847->95853 95848->95847 95854 70901e 95848->95854 95849->95844 95855 708fe3 ReadConsoleW 95849->95855 95909 709424 28 API calls __fread_nolock 95850->95909 95907 6ff2d9 20 API calls __dosmaperr 95851->95907 95872 708e45 __fread_nolock 95852->95872 95910 6ff2a3 20 API calls __dosmaperr 95852->95910 95913 6ff2d9 20 API calls __dosmaperr 95853->95913 95867 709083 95854->95867 95868 70906c 95854->95868 95854->95872 95855->95854 95860 708fff GetLastError 95855->95860 95856 7029c8 _free 20 API calls 95856->95819 95860->95852 95861 708e80 95908 6ff2c6 20 API calls __dosmaperr 95861->95908 95862 7090b3 95914 6ff2c6 20 API calls __dosmaperr 95862->95914 95884 70f89b 95863->95884 95870 70909a 95867->95870 95867->95872 95911 708a61 31 API calls 2 library calls 95868->95911 95912 7088a1 29 API calls __fread_nolock 95870->95912 95872->95856 95873 70909f 95873->95872 95874->95779 95875->95795 95876->95790 95877->95789 95878->95799 95879->95800 95880->95795 95881->95783 95882->95789 95883->95795 95885 70f8b5 95884->95885 95886 70f8a8 95884->95886 95888 70f8c1 95885->95888 95919 6ff2d9 20 API calls __dosmaperr 95885->95919 95918 6ff2d9 20 API calls __dosmaperr 95886->95918 95888->95838 95890 70f8ad 95890->95838 95891 70f8e2 95920 7027ec 26 API calls pre_c_initialization 95891->95920 95893->95814 95894->95819 95895->95824 95896->95822 95897->95832 95898->95837 95899->95872 95900->95836 95902 7029fc __dosmaperr 95901->95902 95903 7029d3 RtlFreeHeap 95901->95903 95902->95842 95903->95902 95904 7029e8 95903->95904 95921 6ff2d9 20 API calls __dosmaperr 95904->95921 95906 7029ee GetLastError 95906->95902 95907->95861 95908->95872 95909->95863 95910->95872 95911->95872 95912->95873 95913->95862 95914->95872 95915->95816 95916->95822 95917->95819 95918->95890 95919->95891 95920->95890 95921->95906 95922 6d2de3 95923 6d2df0 __wsopen_s 95922->95923 95924 6d2e09 95923->95924 95925 712c2b ___scrt_fastfail 95923->95925 95938 6d3aa2 95924->95938 95927 712c47 GetOpenFileNameW 95925->95927 95929 712c96 95927->95929 95931 6d6b57 22 API calls 95929->95931 95933 712cab 95931->95933 95933->95933 95935 6d2e27 95966 6d44a8 95935->95966 95995 711f50 95938->95995 95941 6d3ace 95943 6d6b57 22 API calls 95941->95943 95942 6d3ae9 96001 6da6c3 95942->96001 95945 6d3ada 95943->95945 95997 6d37a0 95945->95997 95948 6d2da5 95949 711f50 __wsopen_s 95948->95949 95950 6d2db2 GetLongPathNameW 95949->95950 95951 6d6b57 22 API calls 95950->95951 95952 6d2dda 95951->95952 95953 6d3598 95952->95953 95954 6da961 22 API calls 95953->95954 95955 6d35aa 95954->95955 95956 6d3aa2 23 API calls 95955->95956 95957 6d35b5 95956->95957 95958 7132eb 95957->95958 95959 6d35c0 95957->95959 95964 71330d 95958->95964 96019 6ece60 41 API calls 95958->96019 96007 6d515f 95959->96007 95965 6d35df 95965->95935 96020 6d4ecb 95966->96020 95969 713833 96042 742cf9 95969->96042 95971 6d4ecb 94 API calls 95973 6d44e1 95971->95973 95972 713848 95974 713869 95972->95974 95975 71384c 95972->95975 95973->95969 95976 6d44e9 95973->95976 95978 6efe0b 22 API calls 95974->95978 96083 6d4f39 95975->96083 95979 713854 95976->95979 95980 6d44f5 95976->95980 95991 7138ae 95978->95991 96089 73da5a 82 API calls 95979->96089 96082 6d940c 136 API calls 2 library calls 95980->96082 95983 713862 95983->95974 95984 6d2e31 95985 6d4f39 68 API calls 95988 713a5f 95985->95988 95988->95985 96093 73989b 82 API calls __wsopen_s 95988->96093 95991->95988 95992 6d9cb3 22 API calls 95991->95992 96068 6da4a1 95991->96068 96076 6d3ff7 95991->96076 96090 73967e 22 API calls __fread_nolock 95991->96090 96091 7395ad 42 API calls _wcslen 95991->96091 96092 740b5a 22 API calls 95991->96092 95992->95991 95996 6d3aaf GetFullPathNameW 95995->95996 95996->95941 95996->95942 95998 6d37ae 95997->95998 95999 6d93b2 22 API calls 95998->95999 96000 6d2e12 95999->96000 96000->95948 96002 6da6dd 96001->96002 96003 6da6d0 96001->96003 96004 6efddb 22 API calls 96002->96004 96003->95945 96005 6da6e7 96004->96005 96006 6efe0b 22 API calls 96005->96006 96006->96003 96008 6d516e 96007->96008 96012 6d518f __fread_nolock 96007->96012 96010 6efe0b 22 API calls 96008->96010 96009 6efddb 22 API calls 96011 6d35cc 96009->96011 96010->96012 96013 6d35f3 96011->96013 96012->96009 96014 6d3605 96013->96014 96018 6d3624 __fread_nolock 96013->96018 96016 6efe0b 22 API calls 96014->96016 96015 6efddb 22 API calls 96017 6d363b 96015->96017 96016->96018 96017->95965 96018->96015 96019->95958 96094 6d4e90 LoadLibraryA 96020->96094 96025 6d4ef6 LoadLibraryExW 96102 6d4e59 LoadLibraryA 96025->96102 96026 713ccf 96028 6d4f39 68 API calls 96026->96028 96030 713cd6 96028->96030 96032 6d4e59 3 API calls 96030->96032 96034 713cde 96032->96034 96033 6d4f20 96033->96034 96035 6d4f2c 96033->96035 96124 6d50f5 96034->96124 96037 6d4f39 68 API calls 96035->96037 96039 6d44cd 96037->96039 96039->95969 96039->95971 96041 713d05 96043 742d15 96042->96043 96044 6d511f 64 API calls 96043->96044 96045 742d29 96044->96045 96283 742e66 96045->96283 96048 6d50f5 40 API calls 96049 742d56 96048->96049 96050 6d50f5 40 API calls 96049->96050 96051 742d66 96050->96051 96052 6d50f5 40 API calls 96051->96052 96053 742d81 96052->96053 96054 6d50f5 40 API calls 96053->96054 96055 742d9c 96054->96055 96056 6d511f 64 API calls 96055->96056 96057 742db3 96056->96057 96058 6fea0c ___std_exception_copy 21 API calls 96057->96058 96059 742dba 96058->96059 96060 6fea0c ___std_exception_copy 21 API calls 96059->96060 96061 742dc4 96060->96061 96062 6d50f5 40 API calls 96061->96062 96063 742dd8 96062->96063 96064 7428fe 27 API calls 96063->96064 96065 742dee 96064->96065 96066 742d3f 96065->96066 96289 7422ce 96065->96289 96066->95972 96069 6da52b 96068->96069 96070 6da4b1 __fread_nolock 96068->96070 96073 6efe0b 22 API calls 96069->96073 96071 6efddb 22 API calls 96070->96071 96072 6da4b8 96071->96072 96074 6da4d6 96072->96074 96075 6efddb 22 API calls 96072->96075 96073->96070 96074->95991 96075->96074 96077 6d400a 96076->96077 96079 6d40ae 96076->96079 96078 6efe0b 22 API calls 96077->96078 96081 6d403c 96077->96081 96078->96081 96079->95991 96080 6efddb 22 API calls 96080->96081 96081->96079 96081->96080 96082->95984 96084 6d4f43 96083->96084 96086 6d4f4a 96083->96086 96085 6fe678 67 API calls 96084->96085 96085->96086 96087 6d4f59 96086->96087 96088 6d4f6a FreeLibrary 96086->96088 96087->95979 96088->96087 96089->95983 96090->95991 96091->95991 96092->95991 96093->95988 96095 6d4ea8 GetProcAddress 96094->96095 96096 6d4ec6 96094->96096 96097 6d4eb8 96095->96097 96099 6fe5eb 96096->96099 96097->96096 96098 6d4ebf FreeLibrary 96097->96098 96098->96096 96132 6fe52a 96099->96132 96101 6d4eea 96101->96025 96101->96026 96103 6d4e8d 96102->96103 96104 6d4e6e GetProcAddress 96102->96104 96107 6d4f80 96103->96107 96105 6d4e7e 96104->96105 96105->96103 96106 6d4e86 FreeLibrary 96105->96106 96106->96103 96108 6efe0b 22 API calls 96107->96108 96109 6d4f95 96108->96109 96193 6d5722 96109->96193 96111 6d4fa1 __fread_nolock 96112 6d50a5 96111->96112 96113 713d1d 96111->96113 96123 6d4fdc 96111->96123 96196 6d42a2 CreateStreamOnHGlobal 96112->96196 96207 74304d 74 API calls 96113->96207 96116 713d22 96118 6d511f 64 API calls 96116->96118 96117 6d50f5 40 API calls 96117->96123 96119 713d45 96118->96119 96120 6d50f5 40 API calls 96119->96120 96122 6d506e messages 96120->96122 96122->96033 96123->96116 96123->96117 96123->96122 96202 6d511f 96123->96202 96125 713d70 96124->96125 96126 6d5107 96124->96126 96229 6fe8c4 96126->96229 96129 7428fe 96266 74274e 96129->96266 96131 742919 96131->96041 96133 6fe536 ___scrt_is_nonwritable_in_current_image 96132->96133 96134 6fe544 96133->96134 96136 6fe574 96133->96136 96157 6ff2d9 20 API calls __dosmaperr 96134->96157 96138 6fe579 96136->96138 96139 6fe586 96136->96139 96137 6fe549 96158 7027ec 26 API calls pre_c_initialization 96137->96158 96159 6ff2d9 20 API calls __dosmaperr 96138->96159 96149 708061 96139->96149 96143 6fe58f 96144 6fe595 96143->96144 96145 6fe5a2 96143->96145 96160 6ff2d9 20 API calls __dosmaperr 96144->96160 96161 6fe5d4 LeaveCriticalSection __fread_nolock 96145->96161 96146 6fe554 __wsopen_s 96146->96101 96150 70806d ___scrt_is_nonwritable_in_current_image 96149->96150 96162 702f5e EnterCriticalSection 96150->96162 96152 70807b 96163 7080fb 96152->96163 96156 7080ac __wsopen_s 96156->96143 96157->96137 96158->96146 96159->96146 96160->96146 96161->96146 96162->96152 96172 70811e 96163->96172 96164 708088 96176 7080b7 96164->96176 96165 708177 96181 704c7d 96165->96181 96169 7029c8 _free 20 API calls 96170 708189 96169->96170 96170->96164 96188 703405 11 API calls 2 library calls 96170->96188 96172->96164 96172->96165 96179 6f918d EnterCriticalSection 96172->96179 96180 6f91a1 LeaveCriticalSection 96172->96180 96173 7081a8 96189 6f918d EnterCriticalSection 96173->96189 96192 702fa6 LeaveCriticalSection 96176->96192 96178 7080be 96178->96156 96179->96172 96180->96172 96187 704c8a __dosmaperr 96181->96187 96182 704cca 96191 6ff2d9 20 API calls __dosmaperr 96182->96191 96183 704cb5 RtlAllocateHeap 96185 704cc8 96183->96185 96183->96187 96185->96169 96187->96182 96187->96183 96190 6f4ead 7 API calls 2 library calls 96187->96190 96188->96173 96189->96164 96190->96187 96191->96185 96192->96178 96194 6efddb 22 API calls 96193->96194 96195 6d5734 96194->96195 96195->96111 96197 6d42bc FindResourceExW 96196->96197 96198 6d42d9 96196->96198 96197->96198 96199 7135ba LoadResource 96197->96199 96198->96123 96199->96198 96200 7135cf SizeofResource 96199->96200 96200->96198 96201 7135e3 LockResource 96200->96201 96201->96198 96203 6d512e 96202->96203 96206 713d90 96202->96206 96208 6fece3 96203->96208 96207->96116 96211 6feaaa 96208->96211 96210 6d513c 96210->96123 96214 6feab6 ___scrt_is_nonwritable_in_current_image 96211->96214 96212 6feac2 96224 6ff2d9 20 API calls __dosmaperr 96212->96224 96214->96212 96215 6feae8 96214->96215 96226 6f918d EnterCriticalSection 96215->96226 96216 6feac7 96225 7027ec 26 API calls pre_c_initialization 96216->96225 96219 6feaf4 96227 6fec0a 62 API calls 2 library calls 96219->96227 96221 6feb08 96228 6feb27 LeaveCriticalSection __fread_nolock 96221->96228 96223 6fead2 __wsopen_s 96223->96210 96224->96216 96225->96223 96226->96219 96227->96221 96228->96223 96232 6fe8e1 96229->96232 96231 6d5118 96231->96129 96233 6fe8ed ___scrt_is_nonwritable_in_current_image 96232->96233 96234 6fe92d 96233->96234 96235 6fe900 ___scrt_fastfail 96233->96235 96244 6fe925 __wsopen_s 96233->96244 96245 6f918d EnterCriticalSection 96234->96245 96259 6ff2d9 20 API calls __dosmaperr 96235->96259 96238 6fe937 96246 6fe6f8 96238->96246 96239 6fe91a 96260 7027ec 26 API calls pre_c_initialization 96239->96260 96244->96231 96245->96238 96250 6fe70a ___scrt_fastfail 96246->96250 96252 6fe727 96246->96252 96247 6fe717 96262 6ff2d9 20 API calls __dosmaperr 96247->96262 96249 6fe71c 96263 7027ec 26 API calls pre_c_initialization 96249->96263 96250->96247 96250->96252 96257 6fe76a __fread_nolock 96250->96257 96261 6fe96c LeaveCriticalSection __fread_nolock 96252->96261 96253 6fe886 ___scrt_fastfail 96265 6ff2d9 20 API calls __dosmaperr 96253->96265 96255 6fd955 __fread_nolock 26 API calls 96255->96257 96257->96252 96257->96253 96257->96255 96258 708d45 __fread_nolock 38 API calls 96257->96258 96264 6fcf78 26 API calls 4 library calls 96257->96264 96258->96257 96259->96239 96260->96244 96261->96244 96262->96249 96263->96252 96264->96257 96265->96249 96269 6fe4e8 96266->96269 96268 74275d 96268->96131 96272 6fe469 96269->96272 96271 6fe505 96271->96268 96273 6fe48c 96272->96273 96274 6fe478 96272->96274 96279 6fe488 __alldvrm 96273->96279 96282 70333f 11 API calls 2 library calls 96273->96282 96280 6ff2d9 20 API calls __dosmaperr 96274->96280 96276 6fe47d 96281 7027ec 26 API calls pre_c_initialization 96276->96281 96279->96271 96280->96276 96281->96279 96282->96279 96284 742e7a 96283->96284 96285 6d50f5 40 API calls 96284->96285 96286 742d3b 96284->96286 96287 7428fe 27 API calls 96284->96287 96288 6d511f 64 API calls 96284->96288 96285->96284 96286->96048 96286->96066 96287->96284 96288->96284 96290 7422e7 96289->96290 96291 7422d9 96289->96291 96293 74232c 96290->96293 96294 6fe5eb 29 API calls 96290->96294 96313 7422f0 96290->96313 96292 6fe5eb 29 API calls 96291->96292 96292->96290 96318 742557 96293->96318 96296 742311 96294->96296 96296->96293 96297 74231a 96296->96297 96301 6fe678 67 API calls 96297->96301 96297->96313 96298 742370 96299 742374 96298->96299 96300 742395 96298->96300 96303 742381 96299->96303 96305 6fe678 67 API calls 96299->96305 96322 742171 96300->96322 96301->96313 96308 6fe678 67 API calls 96303->96308 96303->96313 96304 74239d 96306 7423c3 96304->96306 96307 7423a3 96304->96307 96305->96303 96329 7423f3 96306->96329 96309 7423b0 96307->96309 96311 6fe678 67 API calls 96307->96311 96308->96313 96312 6fe678 67 API calls 96309->96312 96309->96313 96311->96309 96312->96313 96313->96066 96314 7423ca 96315 7423de 96314->96315 96337 6fe678 96314->96337 96315->96313 96317 6fe678 67 API calls 96315->96317 96317->96313 96319 74257c 96318->96319 96321 742565 __fread_nolock 96318->96321 96320 6fe8c4 __fread_nolock 40 API calls 96319->96320 96320->96321 96321->96298 96323 6fea0c ___std_exception_copy 21 API calls 96322->96323 96324 74217f 96323->96324 96325 6fea0c ___std_exception_copy 21 API calls 96324->96325 96326 742190 96325->96326 96327 6fea0c ___std_exception_copy 21 API calls 96326->96327 96328 74219c 96327->96328 96328->96304 96336 742408 96329->96336 96330 7424c0 96355 742724 65 API calls 96330->96355 96331 7421cc 40 API calls 96331->96336 96333 7424c7 96333->96314 96336->96330 96336->96331 96336->96333 96350 742606 96336->96350 96354 742269 40 API calls 96336->96354 96338 6fe684 ___scrt_is_nonwritable_in_current_image 96337->96338 96339 6fe6aa 96338->96339 96340 6fe695 96338->96340 96341 6fe6a5 __wsopen_s 96339->96341 96391 6f918d EnterCriticalSection 96339->96391 96408 6ff2d9 20 API calls __dosmaperr 96340->96408 96341->96315 96344 6fe69a 96409 7027ec 26 API calls pre_c_initialization 96344->96409 96345 6fe6c6 96392 6fe602 96345->96392 96348 6fe6d1 96410 6fe6ee LeaveCriticalSection __fread_nolock 96348->96410 96351 742617 96350->96351 96352 74261d 96350->96352 96351->96352 96356 7426d7 96351->96356 96352->96336 96354->96336 96355->96333 96357 742703 96356->96357 96358 742714 96356->96358 96360 6fdbb3 96357->96360 96358->96351 96361 6fdbc1 96360->96361 96367 6fdbdd 96360->96367 96362 6fdbcd 96361->96362 96363 6fdbe3 96361->96363 96361->96367 96372 6ff2d9 20 API calls __dosmaperr 96362->96372 96369 6fd9cc 96363->96369 96366 6fdbd2 96373 7027ec 26 API calls pre_c_initialization 96366->96373 96367->96358 96374 6fd97b 96369->96374 96371 6fd9f0 96371->96367 96372->96366 96373->96367 96375 6fd987 ___scrt_is_nonwritable_in_current_image 96374->96375 96382 6f918d EnterCriticalSection 96375->96382 96377 6fd995 96383 6fd9f4 96377->96383 96381 6fd9b3 __wsopen_s 96381->96371 96382->96377 96384 7049a1 27 API calls 96383->96384 96385 6fda09 96384->96385 96386 6fda3a 62 API calls 96385->96386 96387 6fda24 96386->96387 96388 704a56 62 API calls 96387->96388 96389 6fd9a2 96388->96389 96390 6fd9c0 LeaveCriticalSection __fread_nolock 96389->96390 96390->96381 96391->96345 96393 6fe60f 96392->96393 96394 6fe624 96392->96394 96436 6ff2d9 20 API calls __dosmaperr 96393->96436 96400 6fe61f 96394->96400 96411 6fdc0b 96394->96411 96396 6fe614 96437 7027ec 26 API calls pre_c_initialization 96396->96437 96400->96348 96403 6fd955 __fread_nolock 26 API calls 96404 6fe646 96403->96404 96421 70862f 96404->96421 96407 7029c8 _free 20 API calls 96407->96400 96408->96344 96409->96341 96410->96341 96412 6fdc23 96411->96412 96416 6fdc1f 96411->96416 96413 6fd955 __fread_nolock 26 API calls 96412->96413 96412->96416 96414 6fdc43 96413->96414 96438 7059be 96414->96438 96417 704d7a 96416->96417 96418 704d90 96417->96418 96419 6fe640 96417->96419 96418->96419 96420 7029c8 _free 20 API calls 96418->96420 96419->96403 96420->96419 96422 708653 96421->96422 96423 70863e 96421->96423 96425 70868e 96422->96425 96429 70867a 96422->96429 96561 6ff2c6 20 API calls __dosmaperr 96423->96561 96563 6ff2c6 20 API calls __dosmaperr 96425->96563 96426 708643 96562 6ff2d9 20 API calls __dosmaperr 96426->96562 96558 708607 96429->96558 96430 708693 96564 6ff2d9 20 API calls __dosmaperr 96430->96564 96433 70869b 96565 7027ec 26 API calls pre_c_initialization 96433->96565 96434 6fe64c 96434->96400 96434->96407 96436->96396 96437->96400 96439 7059ca ___scrt_is_nonwritable_in_current_image 96438->96439 96440 7059d2 96439->96440 96441 7059ea 96439->96441 96517 6ff2c6 20 API calls __dosmaperr 96440->96517 96442 705a88 96441->96442 96447 705a1f 96441->96447 96522 6ff2c6 20 API calls __dosmaperr 96442->96522 96444 7059d7 96518 6ff2d9 20 API calls __dosmaperr 96444->96518 96463 705147 EnterCriticalSection 96447->96463 96448 705a8d 96523 6ff2d9 20 API calls __dosmaperr 96448->96523 96451 705a25 96453 705a41 96451->96453 96454 705a56 96451->96454 96452 705a95 96524 7027ec 26 API calls pre_c_initialization 96452->96524 96519 6ff2d9 20 API calls __dosmaperr 96453->96519 96464 705aa9 96454->96464 96456 7059df __wsopen_s 96456->96416 96459 705a51 96521 705a80 LeaveCriticalSection __wsopen_s 96459->96521 96460 705a46 96520 6ff2c6 20 API calls __dosmaperr 96460->96520 96463->96451 96465 705ad7 96464->96465 96503 705ad0 96464->96503 96466 705afa 96465->96466 96467 705adb 96465->96467 96471 705b4b 96466->96471 96472 705b2e 96466->96472 96532 6ff2c6 20 API calls __dosmaperr 96467->96532 96470 705ae0 96533 6ff2d9 20 API calls __dosmaperr 96470->96533 96475 705b61 96471->96475 96538 709424 28 API calls __fread_nolock 96471->96538 96535 6ff2c6 20 API calls __dosmaperr 96472->96535 96473 705cb1 96473->96459 96525 70564e 96475->96525 96477 705ae7 96534 7027ec 26 API calls pre_c_initialization 96477->96534 96480 705b33 96536 6ff2d9 20 API calls __dosmaperr 96480->96536 96484 705ba8 96487 705c02 WriteFile 96484->96487 96488 705bbc 96484->96488 96485 705b6f 96489 705b73 96485->96489 96490 705b95 96485->96490 96486 705b3b 96537 7027ec 26 API calls pre_c_initialization 96486->96537 96495 705c25 GetLastError 96487->96495 96497 705b8b 96487->96497 96492 705bf2 96488->96492 96493 705bc4 96488->96493 96494 705c69 96489->96494 96539 7055e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 96489->96539 96540 70542e 45 API calls 3 library calls 96490->96540 96543 7056c4 7 API calls 2 library calls 96492->96543 96498 705be2 96493->96498 96499 705bc9 96493->96499 96494->96503 96547 6ff2d9 20 API calls __dosmaperr 96494->96547 96495->96497 96497->96494 96497->96503 96508 705c45 96497->96508 96542 705891 8 API calls 2 library calls 96498->96542 96499->96494 96504 705bd2 96499->96504 96549 6f0a8c 96503->96549 96541 7057a3 7 API calls 2 library calls 96504->96541 96506 705be0 96506->96497 96507 705c8e 96548 6ff2c6 20 API calls __dosmaperr 96507->96548 96511 705c60 96508->96511 96512 705c4c 96508->96512 96546 6ff2a3 20 API calls __dosmaperr 96511->96546 96544 6ff2d9 20 API calls __dosmaperr 96512->96544 96515 705c51 96545 6ff2c6 20 API calls __dosmaperr 96515->96545 96517->96444 96518->96456 96519->96460 96520->96459 96521->96456 96522->96448 96523->96452 96524->96456 96526 70f89b __fread_nolock 26 API calls 96525->96526 96527 70565e 96526->96527 96528 705663 96527->96528 96556 702d74 38 API calls 3 library calls 96527->96556 96528->96484 96528->96485 96530 705686 96530->96528 96531 7056a4 GetConsoleMode 96530->96531 96531->96528 96532->96470 96533->96477 96534->96503 96535->96480 96536->96486 96537->96503 96538->96475 96539->96497 96540->96497 96541->96506 96542->96506 96543->96506 96544->96515 96545->96503 96546->96503 96547->96507 96548->96503 96550 6f0a97 IsProcessorFeaturePresent 96549->96550 96551 6f0a95 96549->96551 96553 6f0c5d 96550->96553 96551->96473 96557 6f0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96553->96557 96555 6f0d40 96555->96473 96556->96530 96557->96555 96566 708585 96558->96566 96560 70862b 96560->96434 96561->96426 96562->96434 96563->96430 96564->96433 96565->96434 96567 708591 ___scrt_is_nonwritable_in_current_image 96566->96567 96577 705147 EnterCriticalSection 96567->96577 96569 70859f 96570 7085d1 96569->96570 96571 7085c6 96569->96571 96593 6ff2d9 20 API calls __dosmaperr 96570->96593 96578 7086ae 96571->96578 96574 7085cc 96594 7085fb LeaveCriticalSection __wsopen_s 96574->96594 96576 7085ee __wsopen_s 96576->96560 96577->96569 96595 7053c4 96578->96595 96580 7086c4 96608 705333 21 API calls 2 library calls 96580->96608 96581 7086be 96581->96580 96582 7086f6 96581->96582 96584 7053c4 __wsopen_s 26 API calls 96581->96584 96582->96580 96585 7053c4 __wsopen_s 26 API calls 96582->96585 96587 7086ed 96584->96587 96588 708702 CloseHandle 96585->96588 96586 70871c 96589 70873e 96586->96589 96609 6ff2a3 20 API calls __dosmaperr 96586->96609 96590 7053c4 __wsopen_s 26 API calls 96587->96590 96588->96580 96591 70870e GetLastError 96588->96591 96589->96574 96590->96582 96591->96580 96593->96574 96594->96576 96596 7053d1 96595->96596 96597 7053e6 96595->96597 96598 6ff2c6 __dosmaperr 20 API calls 96596->96598 96599 6ff2c6 __dosmaperr 20 API calls 96597->96599 96603 70540b 96597->96603 96600 7053d6 96598->96600 96601 705416 96599->96601 96602 6ff2d9 __dosmaperr 20 API calls 96600->96602 96604 6ff2d9 __dosmaperr 20 API calls 96601->96604 96605 7053de 96602->96605 96603->96581 96606 70541e 96604->96606 96605->96581 96607 7027ec pre_c_initialization 26 API calls 96606->96607 96607->96605 96608->96586 96609->96589 96610 722a00 96625 6dd7b0 messages 96610->96625 96611 6ddb11 PeekMessageW 96611->96625 96612 6dd807 GetInputState 96612->96611 96612->96625 96614 721cbe TranslateAcceleratorW 96614->96625 96615 6ddb8f PeekMessageW 96615->96625 96616 6dda04 timeGetTime 96616->96625 96617 6ddb73 TranslateMessage DispatchMessageW 96617->96615 96618 6ddbaf Sleep 96636 6ddbc0 96618->96636 96619 722b74 Sleep 96619->96636 96620 6ee551 timeGetTime 96620->96636 96621 721dda timeGetTime 96728 6ee300 23 API calls 96621->96728 96624 722c0b GetExitCodeProcess 96626 722c21 WaitForSingleObject 96624->96626 96627 722c37 CloseHandle 96624->96627 96625->96611 96625->96612 96625->96614 96625->96615 96625->96616 96625->96617 96625->96618 96625->96619 96625->96621 96629 6dd9d5 96625->96629 96638 6dec40 235 API calls 96625->96638 96640 6dbf40 235 API calls 96625->96640 96642 6ddfd0 96625->96642 96665 6e1310 96625->96665 96722 6eedf6 96625->96722 96727 6ddd50 235 API calls 96625->96727 96729 743a2a 23 API calls 96625->96729 96730 74359c 82 API calls __wsopen_s 96625->96730 96626->96625 96626->96627 96627->96636 96628 722a31 96628->96629 96630 7629bf GetForegroundWindow 96630->96636 96632 722ca9 Sleep 96632->96625 96636->96620 96636->96624 96636->96625 96636->96628 96636->96629 96636->96630 96636->96632 96731 755658 23 API calls 96636->96731 96732 73e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96636->96732 96733 73d4dc 47 API calls 96636->96733 96638->96625 96640->96625 96643 6de010 96642->96643 96659 6de0dc messages 96643->96659 96736 6f0242 5 API calls __Init_thread_wait 96643->96736 96646 722fca 96648 6da961 22 API calls 96646->96648 96646->96659 96647 6da961 22 API calls 96647->96659 96649 722fe4 96648->96649 96737 6f00a3 29 API calls __onexit 96649->96737 96653 722fee 96738 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96653->96738 96657 6dec40 235 API calls 96657->96659 96658 6da8c7 22 API calls 96658->96659 96659->96647 96659->96657 96659->96658 96660 6e04f0 22 API calls 96659->96660 96661 74359c 82 API calls 96659->96661 96662 6de3e1 96659->96662 96734 6da81b 41 API calls 96659->96734 96735 6ea308 235 API calls 96659->96735 96739 6f0242 5 API calls __Init_thread_wait 96659->96739 96740 6f00a3 29 API calls __onexit 96659->96740 96741 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96659->96741 96742 7547d4 235 API calls 96659->96742 96743 7568c1 235 API calls 96659->96743 96660->96659 96661->96659 96662->96625 96666 6e1376 96665->96666 96667 6e17b0 96665->96667 96669 726331 96666->96669 96670 6e1390 96666->96670 96843 6f0242 5 API calls __Init_thread_wait 96667->96843 96853 75709c 235 API calls 96669->96853 96673 6e1940 9 API calls 96670->96673 96672 6e17ba 96675 6e17fb 96672->96675 96844 6d9cb3 96672->96844 96676 6e13a0 96673->96676 96674 72633d 96674->96625 96680 726346 96675->96680 96682 6e182c 96675->96682 96678 6e1940 9 API calls 96676->96678 96679 6e13b6 96678->96679 96679->96675 96681 6e13ec 96679->96681 96854 74359c 82 API calls __wsopen_s 96680->96854 96681->96680 96705 6e1408 __fread_nolock 96681->96705 96683 6daceb 23 API calls 96682->96683 96685 6e1839 96683->96685 96851 6ed217 235 API calls 96685->96851 96686 6e17d4 96850 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96686->96850 96689 72636e 96855 74359c 82 API calls __wsopen_s 96689->96855 96690 6e152f 96692 6e153c 96690->96692 96693 7263d1 96690->96693 96695 6e1940 9 API calls 96692->96695 96857 755745 54 API calls _wcslen 96693->96857 96697 6e1549 96695->96697 96696 6efddb 22 API calls 96696->96705 96700 7264fa 96697->96700 96702 6e1940 9 API calls 96697->96702 96698 6e1872 96852 6efaeb 23 API calls 96698->96852 96699 6efe0b 22 API calls 96699->96705 96709 726369 96700->96709 96858 74359c 82 API calls __wsopen_s 96700->96858 96707 6e1563 96702->96707 96704 6dec40 235 API calls 96704->96705 96705->96685 96705->96689 96705->96690 96705->96696 96705->96699 96705->96704 96706 7263b2 96705->96706 96705->96709 96856 74359c 82 API calls __wsopen_s 96706->96856 96707->96700 96710 6da8c7 22 API calls 96707->96710 96712 6e15c7 messages 96707->96712 96709->96625 96710->96712 96711 6e1940 9 API calls 96711->96712 96712->96698 96712->96700 96712->96709 96712->96711 96714 6e167b messages 96712->96714 96716 6d4f39 68 API calls 96712->96716 96744 75959f 96712->96744 96747 74f0ec 96712->96747 96756 75958b 96712->96756 96759 73d4ce 96712->96759 96762 746ef1 96712->96762 96713 6e171d 96713->96625 96714->96713 96842 6ece17 22 API calls messages 96714->96842 96716->96712 96723 6eee12 96722->96723 96725 6eee09 96722->96725 96724 6eee36 IsDialogMessageW 96723->96724 96723->96725 96726 72efaf GetClassLongW 96723->96726 96724->96723 96724->96725 96725->96625 96726->96723 96726->96724 96727->96625 96728->96625 96729->96625 96730->96625 96731->96636 96732->96636 96733->96636 96734->96659 96735->96659 96736->96646 96737->96653 96738->96659 96739->96659 96740->96659 96741->96659 96742->96659 96743->96659 96859 757f59 96744->96859 96746 7595af 96746->96712 96748 6d7510 53 API calls 96747->96748 96749 74f126 96748->96749 96991 6d9e90 96749->96991 96751 74f136 96752 6dec40 235 API calls 96751->96752 96753 74f15b 96751->96753 96752->96753 96755 74f15f 96753->96755 97019 6d9c6e 22 API calls 96753->97019 96755->96712 96757 757f59 120 API calls 96756->96757 96758 75959b 96757->96758 96758->96712 97037 73dbbe lstrlenW 96759->97037 96763 6da961 22 API calls 96762->96763 96764 746f1d 96763->96764 96765 6da961 22 API calls 96764->96765 96766 746f26 96765->96766 96767 746f3a 96766->96767 97205 6db567 39 API calls 96766->97205 96769 6d7510 53 API calls 96767->96769 96770 746f57 _wcslen 96769->96770 96771 746fbc 96770->96771 96772 7470bf 96770->96772 96841 7470e9 96770->96841 96774 6d7510 53 API calls 96771->96774 96773 6d4ecb 94 API calls 96772->96773 96775 7470d0 96773->96775 96776 746fc8 96774->96776 96777 7470e5 96775->96777 96779 6d4ecb 94 API calls 96775->96779 96778 6da8c7 22 API calls 96776->96778 96784 746fdb 96776->96784 96780 6da961 22 API calls 96777->96780 96777->96841 96778->96784 96779->96777 96781 74711a 96780->96781 96782 6da961 22 API calls 96781->96782 96785 747126 96782->96785 96783 747027 96787 6d7510 53 API calls 96783->96787 96784->96783 96786 747005 96784->96786 96790 6da8c7 22 API calls 96784->96790 96789 6da961 22 API calls 96785->96789 97206 6d33c6 96786->97206 96788 747034 96787->96788 96792 747047 96788->96792 96793 74703d 96788->96793 96794 74712f 96789->96794 96790->96786 97215 73e199 GetFileAttributesW 96792->97215 96796 6da8c7 22 API calls 96793->96796 96798 6da961 22 API calls 96794->96798 96795 74700f 96799 6d7510 53 API calls 96795->96799 96796->96792 96801 747138 96798->96801 96802 74701b 96799->96802 96800 747050 96803 747063 96800->96803 96806 6d4c6d 22 API calls 96800->96806 96804 6d7510 53 API calls 96801->96804 96805 6d6350 22 API calls 96802->96805 96808 6d7510 53 API calls 96803->96808 96813 747069 96803->96813 96807 747145 96804->96807 96805->96783 96806->96803 97042 6d525f 96807->97042 96810 7470a0 96808->96810 97216 73d076 57 API calls 96810->97216 96812 747166 97084 6d4c6d 96812->97084 96813->96841 96816 7471a9 96817 6da8c7 22 API calls 96816->96817 96819 7471ba 96817->96819 96818 6d4c6d 22 API calls 96820 747186 96818->96820 97087 6d6350 96819->97087 96820->96816 96822 6d6b57 22 API calls 96820->96822 96824 74719b 96822->96824 96826 6d6b57 22 API calls 96824->96826 96825 6d6350 22 API calls 96827 7471d6 96825->96827 96826->96816 96828 6d6350 22 API calls 96827->96828 96829 7471e4 96828->96829 96830 6d7510 53 API calls 96829->96830 96831 7471f0 96830->96831 97096 73d7bc 96831->97096 96833 747201 96834 73d4ce 4 API calls 96833->96834 96835 74720b 96834->96835 96836 6d7510 53 API calls 96835->96836 96840 747239 96835->96840 96837 747229 96836->96837 97150 742947 96837->97150 96839 6d4f39 68 API calls 96839->96841 96840->96839 96841->96712 96842->96714 96843->96672 96845 6d9cc2 _wcslen 96844->96845 96846 6efe0b 22 API calls 96845->96846 96847 6d9cea __fread_nolock 96846->96847 96848 6efddb 22 API calls 96847->96848 96849 6d9d00 96848->96849 96849->96686 96850->96675 96851->96698 96852->96698 96853->96674 96854->96709 96855->96709 96856->96709 96857->96707 96858->96709 96897 6d7510 96859->96897 96863 758281 96864 75844f 96863->96864 96868 75828f 96863->96868 96960 758ee4 60 API calls 96864->96960 96867 75845e 96867->96868 96869 75846a 96867->96869 96933 757e86 96868->96933 96885 757fd5 messages 96869->96885 96870 6d7510 53 API calls 96888 758049 96870->96888 96875 7582c8 96948 6efc70 96875->96948 96878 758302 96955 6d63eb 22 API calls 96878->96955 96879 7582e8 96954 74359c 82 API calls __wsopen_s 96879->96954 96882 7582f3 GetCurrentProcess TerminateProcess 96882->96878 96883 758311 96956 6d6a50 22 API calls 96883->96956 96885->96746 96886 75832a 96896 758352 96886->96896 96957 6e04f0 22 API calls 96886->96957 96888->96863 96888->96870 96888->96885 96952 73417d 22 API calls __fread_nolock 96888->96952 96953 75851d 42 API calls _strftime 96888->96953 96889 7584c5 96889->96885 96891 7584d9 FreeLibrary 96889->96891 96890 758341 96958 758b7b 75 API calls 96890->96958 96891->96885 96895 6daceb 23 API calls 96895->96896 96896->96889 96896->96895 96959 6e04f0 22 API calls 96896->96959 96961 758b7b 75 API calls 96896->96961 96898 6d7525 96897->96898 96899 6d7522 96897->96899 96900 6d752d 96898->96900 96901 6d755b 96898->96901 96899->96885 96920 758cd3 96899->96920 96962 6f51c6 26 API calls 96900->96962 96902 7150f6 96901->96902 96904 6d756d 96901->96904 96911 71500f 96901->96911 96965 6f5183 26 API calls 96902->96965 96963 6efb21 51 API calls 96904->96963 96905 6d753d 96910 6efddb 22 API calls 96905->96910 96908 71510e 96908->96908 96912 6d7547 96910->96912 96913 715088 96911->96913 96915 6efe0b 22 API calls 96911->96915 96914 6d9cb3 22 API calls 96912->96914 96964 6efb21 51 API calls 96913->96964 96914->96899 96916 715058 96915->96916 96917 6efddb 22 API calls 96916->96917 96918 71507f 96917->96918 96919 6d9cb3 22 API calls 96918->96919 96919->96913 96921 6daec9 22 API calls 96920->96921 96922 758cee CharLowerBuffW 96921->96922 96966 738e54 96922->96966 96926 6da961 22 API calls 96927 758d2a 96926->96927 96973 6d6d25 96927->96973 96929 758d3e 96930 6d93b2 22 API calls 96929->96930 96932 758d48 _wcslen 96930->96932 96931 758e5e _wcslen 96931->96888 96932->96931 96986 75851d 42 API calls _strftime 96932->96986 96934 757ea1 96933->96934 96938 757eec 96933->96938 96935 6efe0b 22 API calls 96934->96935 96936 757ec3 96935->96936 96937 6efddb 22 API calls 96936->96937 96936->96938 96937->96936 96939 759096 96938->96939 96940 7592ab messages 96939->96940 96947 7590ba _strcat _wcslen 96939->96947 96940->96875 96941 6db38f 39 API calls 96941->96947 96942 6db567 39 API calls 96942->96947 96943 6db6b5 39 API calls 96943->96947 96944 6fea0c 21 API calls ___std_exception_copy 96944->96947 96945 6d7510 53 API calls 96945->96947 96947->96940 96947->96941 96947->96942 96947->96943 96947->96944 96947->96945 96990 73efae 24 API calls _wcslen 96947->96990 96950 6efc85 96948->96950 96949 6efd1d VirtualProtect 96951 6efceb 96949->96951 96950->96949 96950->96951 96951->96878 96951->96879 96952->96888 96953->96888 96954->96882 96955->96883 96956->96886 96957->96890 96958->96896 96959->96896 96960->96867 96961->96896 96962->96905 96963->96905 96964->96902 96965->96908 96967 738e74 _wcslen 96966->96967 96968 738f63 96967->96968 96971 738ea9 96967->96971 96972 738f68 96967->96972 96968->96926 96968->96932 96971->96968 96987 6ece60 41 API calls 96971->96987 96972->96968 96988 6ece60 41 API calls 96972->96988 96974 6d6d34 96973->96974 96975 6d6d91 96973->96975 96974->96975 96976 6d6d3f 96974->96976 96977 6d93b2 22 API calls 96975->96977 96978 6d6d5a 96976->96978 96979 714c9d 96976->96979 96983 6d6d62 __fread_nolock 96977->96983 96989 6d6f34 22 API calls 96978->96989 96980 6efddb 22 API calls 96979->96980 96982 714ca7 96980->96982 96984 6efe0b 22 API calls 96982->96984 96983->96929 96985 714cda 96984->96985 96986->96931 96987->96971 96988->96972 96989->96983 96990->96947 97020 6d6270 96991->97020 96993 6d9fd2 96994 6da4a1 22 API calls 96993->96994 96995 6d9fec 96994->96995 96995->96751 96998 71f7c4 97035 7396e2 84 API calls __wsopen_s 96998->97035 96999 71f699 97007 6efddb 22 API calls 96999->97007 97000 6da405 97000->96995 97036 7396e2 84 API calls __wsopen_s 97000->97036 97002 6da4a1 22 API calls 97018 6d9eb5 97002->97018 97005 6da6c3 22 API calls 97005->97018 97006 71f7d2 97008 6da4a1 22 API calls 97006->97008 97009 71f754 97007->97009 97010 71f7e8 97008->97010 97011 6efe0b 22 API calls 97009->97011 97010->96995 97012 6da12c __fread_nolock 97011->97012 97012->96998 97012->97000 97015 6daec9 22 API calls 97016 6da0db CharUpperBuffW 97015->97016 97031 6da673 22 API calls 97016->97031 97018->96993 97018->96998 97018->96999 97018->97000 97018->97002 97018->97005 97018->97012 97018->97015 97025 6d4573 41 API calls _wcslen 97018->97025 97026 6da587 97018->97026 97032 6d48c8 23 API calls 97018->97032 97033 6d49bd 22 API calls __fread_nolock 97018->97033 97034 6da673 22 API calls 97018->97034 97019->96755 97021 6efe0b 22 API calls 97020->97021 97022 6d6295 97021->97022 97023 6efddb 22 API calls 97022->97023 97024 6d62a3 97023->97024 97024->97018 97025->97018 97027 6da59d 97026->97027 97030 6da598 __fread_nolock 97026->97030 97028 71f80f 97027->97028 97029 6efe0b 22 API calls 97027->97029 97029->97030 97030->97018 97031->97018 97032->97018 97033->97018 97034->97018 97035->97006 97036->96995 97038 73d4d5 97037->97038 97039 73dbdc GetFileAttributesW 97037->97039 97038->96712 97039->97038 97040 73dbe8 FindFirstFileW 97039->97040 97040->97038 97041 73dbf9 FindClose 97040->97041 97041->97038 97043 6da961 22 API calls 97042->97043 97044 6d5275 97043->97044 97045 6da961 22 API calls 97044->97045 97046 6d527d 97045->97046 97047 6da961 22 API calls 97046->97047 97048 6d5285 97047->97048 97049 6da961 22 API calls 97048->97049 97050 6d528d 97049->97050 97051 713df5 97050->97051 97052 6d52c1 97050->97052 97053 6da8c7 22 API calls 97051->97053 97054 6d6d25 22 API calls 97052->97054 97055 713dfe 97053->97055 97056 6d52cf 97054->97056 97057 6da6c3 22 API calls 97055->97057 97058 6d93b2 22 API calls 97056->97058 97061 6d5304 97057->97061 97059 6d52d9 97058->97059 97059->97061 97062 6d6d25 22 API calls 97059->97062 97060 6d5349 97064 6d6d25 22 API calls 97060->97064 97061->97060 97063 6d5325 97061->97063 97079 713e20 97061->97079 97065 6d52fa 97062->97065 97063->97060 97068 6d4c6d 22 API calls 97063->97068 97066 6d535a 97064->97066 97067 6d93b2 22 API calls 97065->97067 97069 6d5370 97066->97069 97073 6da8c7 22 API calls 97066->97073 97067->97061 97071 6d5332 97068->97071 97070 6d5384 97069->97070 97075 6da8c7 22 API calls 97069->97075 97074 6d538f 97070->97074 97077 6da8c7 22 API calls 97070->97077 97071->97060 97076 6d6d25 22 API calls 97071->97076 97072 6d6b57 22 API calls 97081 713ee0 97072->97081 97073->97069 97078 6da8c7 22 API calls 97074->97078 97082 6d539a 97074->97082 97075->97070 97076->97060 97077->97074 97078->97082 97079->97072 97080 6d4c6d 22 API calls 97080->97081 97081->97060 97081->97080 97217 6d49bd 22 API calls __fread_nolock 97081->97217 97082->96812 97085 6daec9 22 API calls 97084->97085 97086 6d4c78 97085->97086 97086->96816 97086->96818 97088 714a51 97087->97088 97089 6d6362 97087->97089 97228 6d4a88 22 API calls __fread_nolock 97088->97228 97218 6d6373 97089->97218 97092 6d636e 97092->96825 97093 714a5b 97094 6da8c7 22 API calls 97093->97094 97095 714a67 97093->97095 97094->97095 97097 73d7d8 97096->97097 97098 73d7f3 97097->97098 97099 73d7dd 97097->97099 97100 6da961 22 API calls 97098->97100 97101 6da8c7 22 API calls 97099->97101 97104 73d7ee 97099->97104 97102 73d7fb 97100->97102 97101->97104 97103 6da961 22 API calls 97102->97103 97105 73d803 97103->97105 97104->96833 97106 6da961 22 API calls 97105->97106 97107 73d80e 97106->97107 97108 6da961 22 API calls 97107->97108 97109 73d816 97108->97109 97110 6da961 22 API calls 97109->97110 97111 73d81e 97110->97111 97112 6da961 22 API calls 97111->97112 97113 73d826 97112->97113 97114 6da961 22 API calls 97113->97114 97115 73d82e 97114->97115 97116 6da961 22 API calls 97115->97116 97117 73d836 97116->97117 97118 6d525f 22 API calls 97117->97118 97119 73d84d 97118->97119 97120 6d525f 22 API calls 97119->97120 97121 73d866 97120->97121 97122 6d4c6d 22 API calls 97121->97122 97123 73d872 97122->97123 97124 73d885 97123->97124 97125 6d93b2 22 API calls 97123->97125 97126 6d4c6d 22 API calls 97124->97126 97125->97124 97127 73d88e 97126->97127 97128 73d89e 97127->97128 97129 6d93b2 22 API calls 97127->97129 97130 73d8b0 97128->97130 97131 6da8c7 22 API calls 97128->97131 97129->97128 97132 6d6350 22 API calls 97130->97132 97131->97130 97133 73d8bb 97132->97133 97229 73d978 22 API calls 97133->97229 97135 73d8ca 97230 73d978 22 API calls 97135->97230 97137 73d8dd 97138 6d4c6d 22 API calls 97137->97138 97139 73d8e7 97138->97139 97140 73d8fe 97139->97140 97141 73d8ec 97139->97141 97143 6d4c6d 22 API calls 97140->97143 97142 6d33c6 22 API calls 97141->97142 97144 73d8f9 97142->97144 97145 73d907 97143->97145 97147 6d6350 22 API calls 97144->97147 97146 73d925 97145->97146 97149 6d33c6 22 API calls 97145->97149 97148 6d6350 22 API calls 97146->97148 97147->97146 97148->97104 97149->97144 97151 742954 __wsopen_s 97150->97151 97152 6efe0b 22 API calls 97151->97152 97153 742971 97152->97153 97154 6d5722 22 API calls 97153->97154 97155 74297b 97154->97155 97156 74274e 27 API calls 97155->97156 97157 742986 97156->97157 97158 6d511f 64 API calls 97157->97158 97159 74299b 97158->97159 97160 742a6c 97159->97160 97161 7429bf 97159->97161 97162 742e66 75 API calls 97160->97162 97163 742e66 75 API calls 97161->97163 97178 742a38 97162->97178 97164 7429c4 97163->97164 97169 742a75 messages 97164->97169 97235 6fd583 26 API calls 97164->97235 97166 6d50f5 40 API calls 97167 742a91 97166->97167 97168 6d50f5 40 API calls 97167->97168 97171 742aa1 97168->97171 97169->96840 97170 7429ed 97236 6fd583 26 API calls 97170->97236 97172 6d50f5 40 API calls 97171->97172 97174 742abc 97172->97174 97175 6d50f5 40 API calls 97174->97175 97176 742acc 97175->97176 97177 6d50f5 40 API calls 97176->97177 97179 742ae7 97177->97179 97178->97166 97178->97169 97180 6d50f5 40 API calls 97179->97180 97181 742af7 97180->97181 97182 6d50f5 40 API calls 97181->97182 97183 742b07 97182->97183 97184 6d50f5 40 API calls 97183->97184 97185 742b17 97184->97185 97231 743017 GetTempPathW GetTempFileNameW 97185->97231 97187 742b22 97188 6fe5eb 29 API calls 97187->97188 97190 742b33 97188->97190 97189 6fe678 67 API calls 97191 742bf8 97189->97191 97190->97169 97192 6d50f5 40 API calls 97190->97192 97199 6fdbb3 65 API calls 97190->97199 97201 742bed 97190->97201 97193 742c12 97191->97193 97194 742bfe DeleteFileW 97191->97194 97192->97190 97195 742c91 CopyFileW 97193->97195 97200 742c18 97193->97200 97194->97169 97196 742ca7 DeleteFileW 97195->97196 97197 742cb9 DeleteFileW 97195->97197 97196->97169 97232 742fd8 CreateFileW 97197->97232 97199->97190 97202 7422ce 79 API calls 97200->97202 97201->97189 97203 742c7c 97202->97203 97203->97197 97204 742c80 DeleteFileW 97203->97204 97204->97169 97205->96767 97207 6d33dd 97206->97207 97208 7130bb 97206->97208 97237 6d33ee 97207->97237 97210 6efddb 22 API calls 97208->97210 97212 7130c5 _wcslen 97210->97212 97211 6d33e8 97211->96795 97213 6efe0b 22 API calls 97212->97213 97214 7130fe __fread_nolock 97213->97214 97215->96800 97216->96813 97217->97081 97220 6d6382 97218->97220 97225 6d63b6 __fread_nolock 97218->97225 97219 714a82 97222 6efddb 22 API calls 97219->97222 97220->97219 97221 6d63a9 97220->97221 97220->97225 97223 6da587 22 API calls 97221->97223 97224 714a91 97222->97224 97223->97225 97226 6efe0b 22 API calls 97224->97226 97225->97092 97227 714ac5 __fread_nolock 97226->97227 97228->97093 97229->97135 97230->97137 97231->97187 97233 743013 97232->97233 97234 742fff SetFileTime CloseHandle 97232->97234 97233->97169 97234->97233 97235->97170 97236->97178 97238 6d33fe _wcslen 97237->97238 97239 71311d 97238->97239 97240 6d3411 97238->97240 97242 6efddb 22 API calls 97239->97242 97241 6da587 22 API calls 97240->97241 97243 6d341e __fread_nolock 97241->97243 97244 713127 97242->97244 97243->97211 97245 6efe0b 22 API calls 97244->97245 97246 713157 __fread_nolock 97245->97246 97247 708402 97248 708418 97247->97248 97249 70842a 97248->97249 97251 710984 97248->97251 97254 710081 97251->97254 97253 71099f 97253->97249 97256 71008d ___scrt_is_nonwritable_in_current_image 97254->97256 97255 71009b 97312 6ff2d9 20 API calls __dosmaperr 97255->97312 97256->97255 97258 7100d4 97256->97258 97265 71065b 97258->97265 97259 7100a0 97313 7027ec 26 API calls pre_c_initialization 97259->97313 97264 7100aa __wsopen_s 97264->97253 97315 71042f 97265->97315 97268 7106a6 97333 705221 97268->97333 97269 71068d 97347 6ff2c6 20 API calls __dosmaperr 97269->97347 97272 7106ab 97273 7106b4 97272->97273 97274 7106cb 97272->97274 97349 6ff2c6 20 API calls __dosmaperr 97273->97349 97346 71039a CreateFileW 97274->97346 97278 7106b9 97350 6ff2d9 20 API calls __dosmaperr 97278->97350 97279 710704 97281 710781 GetFileType 97279->97281 97282 710756 GetLastError 97279->97282 97351 71039a CreateFileW 97279->97351 97283 7107d3 97281->97283 97284 71078c GetLastError 97281->97284 97352 6ff2a3 20 API calls __dosmaperr 97282->97352 97355 70516a 21 API calls 2 library calls 97283->97355 97353 6ff2a3 20 API calls __dosmaperr 97284->97353 97287 71079a CloseHandle 97289 710692 97287->97289 97290 7107c3 97287->97290 97348 6ff2d9 20 API calls __dosmaperr 97289->97348 97354 6ff2d9 20 API calls __dosmaperr 97290->97354 97292 710749 97292->97281 97292->97282 97294 7107f4 97296 710840 97294->97296 97356 7105ab 72 API calls 3 library calls 97294->97356 97295 7107c8 97295->97289 97300 71086d 97296->97300 97357 71014d 72 API calls 4 library calls 97296->97357 97299 710866 97299->97300 97301 71087e 97299->97301 97302 7086ae __wsopen_s 29 API calls 97300->97302 97303 7100f8 97301->97303 97304 7108fc CloseHandle 97301->97304 97302->97303 97314 710121 LeaveCriticalSection __wsopen_s 97303->97314 97358 71039a CreateFileW 97304->97358 97306 710927 97307 710931 GetLastError 97306->97307 97308 71095d 97306->97308 97359 6ff2a3 20 API calls __dosmaperr 97307->97359 97308->97303 97310 71093d 97360 705333 21 API calls 2 library calls 97310->97360 97312->97259 97313->97264 97314->97264 97316 710450 97315->97316 97317 71046a 97315->97317 97316->97317 97368 6ff2d9 20 API calls __dosmaperr 97316->97368 97361 7103bf 97317->97361 97320 71045f 97369 7027ec 26 API calls pre_c_initialization 97320->97369 97322 7104a2 97323 7104d1 97322->97323 97370 6ff2d9 20 API calls __dosmaperr 97322->97370 97330 710524 97323->97330 97372 6fd70d 26 API calls 2 library calls 97323->97372 97326 71051f 97328 71059e 97326->97328 97326->97330 97327 7104c6 97371 7027ec 26 API calls pre_c_initialization 97327->97371 97373 7027fc 11 API calls _abort 97328->97373 97330->97268 97330->97269 97332 7105aa 97334 70522d ___scrt_is_nonwritable_in_current_image 97333->97334 97376 702f5e EnterCriticalSection 97334->97376 97336 705234 97337 705259 97336->97337 97342 7052c7 EnterCriticalSection 97336->97342 97344 70527b 97336->97344 97380 705000 97337->97380 97340 7052a4 __wsopen_s 97340->97272 97343 7052d4 LeaveCriticalSection 97342->97343 97342->97344 97343->97336 97377 70532a 97344->97377 97346->97279 97347->97289 97348->97303 97349->97278 97350->97289 97351->97292 97352->97289 97353->97287 97354->97295 97355->97294 97356->97296 97357->97299 97358->97306 97359->97310 97360->97308 97363 7103d7 97361->97363 97362 7103f2 97362->97322 97363->97362 97374 6ff2d9 20 API calls __dosmaperr 97363->97374 97365 710416 97375 7027ec 26 API calls pre_c_initialization 97365->97375 97367 710421 97367->97322 97368->97320 97369->97317 97370->97327 97371->97323 97372->97326 97373->97332 97374->97365 97375->97367 97376->97336 97388 702fa6 LeaveCriticalSection 97377->97388 97379 705331 97379->97340 97381 704c7d __dosmaperr 20 API calls 97380->97381 97383 705012 97381->97383 97382 70501f 97384 7029c8 _free 20 API calls 97382->97384 97383->97382 97389 703405 11 API calls 2 library calls 97383->97389 97386 705071 97384->97386 97386->97344 97387 705147 EnterCriticalSection 97386->97387 97387->97344 97388->97379 97389->97383 97390 6df7bf 97391 6dfcb6 97390->97391 97392 6df7d3 97390->97392 97393 6daceb 23 API calls 97391->97393 97394 6dfcc2 97392->97394 97395 6efddb 22 API calls 97392->97395 97393->97394 97396 6daceb 23 API calls 97394->97396 97397 6df7e5 97395->97397 97398 6dfd3d 97396->97398 97397->97394 97397->97398 97399 6df83e 97397->97399 97427 741155 22 API calls 97398->97427 97401 6e1310 235 API calls 97399->97401 97416 6ded9d messages 97399->97416 97423 6dec76 messages 97401->97423 97402 6efddb 22 API calls 97402->97423 97404 6dfef7 97411 6da8c7 22 API calls 97404->97411 97404->97416 97406 724b0b 97429 74359c 82 API calls __wsopen_s 97406->97429 97407 6da8c7 22 API calls 97407->97423 97408 724600 97414 6da8c7 22 API calls 97408->97414 97408->97416 97411->97416 97413 6f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97413->97423 97414->97416 97415 6dfbe3 97415->97416 97419 724bdc 97415->97419 97424 6df3ae messages 97415->97424 97417 6da961 22 API calls 97417->97423 97418 6f00a3 29 API calls pre_c_initialization 97418->97423 97430 74359c 82 API calls __wsopen_s 97419->97430 97421 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97421->97423 97422 724beb 97431 74359c 82 API calls __wsopen_s 97422->97431 97423->97402 97423->97404 97423->97406 97423->97407 97423->97408 97423->97413 97423->97415 97423->97416 97423->97417 97423->97418 97423->97421 97423->97422 97423->97424 97425 6e01e0 235 API calls 2 library calls 97423->97425 97426 6e06a0 41 API calls messages 97423->97426 97424->97416 97428 74359c 82 API calls __wsopen_s 97424->97428 97425->97423 97426->97423 97427->97416 97428->97416 97429->97416 97430->97422 97431->97416 97432 723a41 97436 7410c0 97432->97436 97434 723a4c 97435 7410c0 53 API calls 97434->97435 97435->97434 97437 7410fa 97436->97437 97441 7410cd 97436->97441 97437->97434 97438 7410fc 97448 6efa11 53 API calls 97438->97448 97439 741101 97442 6d7510 53 API calls 97439->97442 97441->97437 97441->97438 97441->97439 97445 7410f4 97441->97445 97443 741108 97442->97443 97444 6d6350 22 API calls 97443->97444 97444->97437 97447 6db270 39 API calls 97445->97447 97447->97437 97448->97439 97449 6f03fb 97450 6f0407 ___scrt_is_nonwritable_in_current_image 97449->97450 97478 6efeb1 97450->97478 97452 6f040e 97453 6f0561 97452->97453 97456 6f0438 97452->97456 97505 6f083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97453->97505 97455 6f0568 97506 6f4e52 28 API calls _abort 97455->97506 97467 6f0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97456->97467 97489 70247d 97456->97489 97458 6f056e 97507 6f4e04 28 API calls _abort 97458->97507 97462 6f0576 97463 6f0457 97465 6f04d8 97497 6f0959 97465->97497 97467->97465 97501 6f4e1a 38 API calls 3 library calls 97467->97501 97469 6f04de 97470 6f04f3 97469->97470 97502 6f0992 GetModuleHandleW 97470->97502 97472 6f04fa 97472->97455 97473 6f04fe 97472->97473 97474 6f0507 97473->97474 97503 6f4df5 28 API calls _abort 97473->97503 97504 6f0040 13 API calls 2 library calls 97474->97504 97477 6f050f 97477->97463 97479 6efeba 97478->97479 97508 6f0698 IsProcessorFeaturePresent 97479->97508 97481 6efec6 97509 6f2c94 10 API calls 3 library calls 97481->97509 97483 6efecb 97488 6efecf 97483->97488 97510 702317 97483->97510 97486 6efee6 97486->97452 97488->97452 97490 702494 97489->97490 97491 6f0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97490->97491 97492 6f0451 97491->97492 97492->97463 97493 702421 97492->97493 97494 702450 97493->97494 97495 6f0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97494->97495 97496 702479 97495->97496 97496->97467 97553 6f2340 97497->97553 97500 6f097f 97500->97469 97501->97465 97502->97472 97503->97474 97504->97477 97505->97455 97506->97458 97507->97462 97508->97481 97509->97483 97514 70d1f6 97510->97514 97513 6f2cbd 8 API calls 3 library calls 97513->97488 97516 70d20f 97514->97516 97518 70d213 97514->97518 97515 6f0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97517 6efed8 97515->97517 97516->97515 97517->97486 97517->97513 97518->97516 97520 704bfb 97518->97520 97521 704c07 ___scrt_is_nonwritable_in_current_image 97520->97521 97532 702f5e EnterCriticalSection 97521->97532 97523 704c0e 97533 7050af 97523->97533 97525 704c1d 97531 704c2c 97525->97531 97546 704a8f 29 API calls 97525->97546 97528 704c3d __wsopen_s 97528->97518 97529 704c27 97547 704b45 GetStdHandle GetFileType 97529->97547 97548 704c48 LeaveCriticalSection _abort 97531->97548 97532->97523 97534 7050bb ___scrt_is_nonwritable_in_current_image 97533->97534 97535 7050c8 97534->97535 97536 7050df 97534->97536 97550 6ff2d9 20 API calls __dosmaperr 97535->97550 97549 702f5e EnterCriticalSection 97536->97549 97539 7050cd 97551 7027ec 26 API calls pre_c_initialization 97539->97551 97541 7050d7 __wsopen_s 97541->97525 97542 705117 97552 70513e LeaveCriticalSection _abort 97542->97552 97544 7050eb 97544->97542 97545 705000 __wsopen_s 21 API calls 97544->97545 97545->97544 97546->97529 97547->97531 97548->97528 97549->97544 97550->97539 97551->97541 97552->97541 97554 6f096c GetStartupInfoW 97553->97554 97554->97500 97555 712ba5 97556 6d2b25 97555->97556 97557 712baf 97555->97557 97583 6d2b83 7 API calls 97556->97583 97598 6d3a5a 97557->97598 97560 712bb8 97562 6d9cb3 22 API calls 97560->97562 97565 712bc6 97562->97565 97564 6d2b2f 97573 6d2b44 97564->97573 97587 6d3837 97564->97587 97566 712bf5 97565->97566 97567 712bce 97565->97567 97569 6d33c6 22 API calls 97566->97569 97568 6d33c6 22 API calls 97567->97568 97571 712bd9 97568->97571 97572 712bf1 GetForegroundWindow ShellExecuteW 97569->97572 97575 6d6350 22 API calls 97571->97575 97579 712c26 97572->97579 97574 6d2b5f 97573->97574 97597 6d30f2 Shell_NotifyIconW ___scrt_fastfail 97573->97597 97580 6d2b66 SetCurrentDirectoryW 97574->97580 97578 712be7 97575->97578 97581 6d33c6 22 API calls 97578->97581 97579->97574 97582 6d2b7a 97580->97582 97581->97572 97605 6d2cd4 7 API calls 97583->97605 97585 6d2b2a 97586 6d2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97585->97586 97586->97564 97588 6d3862 ___scrt_fastfail 97587->97588 97606 6d4212 97588->97606 97591 6d38e8 97593 713386 Shell_NotifyIconW 97591->97593 97594 6d3906 Shell_NotifyIconW 97591->97594 97610 6d3923 97594->97610 97596 6d391c 97596->97573 97597->97574 97599 711f50 __wsopen_s 97598->97599 97600 6d3a67 GetModuleFileNameW 97599->97600 97601 6d9cb3 22 API calls 97600->97601 97602 6d3a8d 97601->97602 97603 6d3aa2 23 API calls 97602->97603 97604 6d3a97 97603->97604 97604->97560 97605->97585 97607 7135a4 97606->97607 97608 6d38b7 97606->97608 97607->97608 97609 7135ad DestroyIcon 97607->97609 97608->97591 97632 73c874 42 API calls _strftime 97608->97632 97609->97608 97611 6d393f 97610->97611 97629 6d3a13 97610->97629 97612 6d6270 22 API calls 97611->97612 97613 6d394d 97612->97613 97614 713393 LoadStringW 97613->97614 97615 6d395a 97613->97615 97617 7133ad 97614->97617 97616 6d6b57 22 API calls 97615->97616 97618 6d396f 97616->97618 97621 6da8c7 22 API calls 97617->97621 97626 6d3994 ___scrt_fastfail 97617->97626 97619 6d397c 97618->97619 97620 7133c9 97618->97620 97619->97617 97622 6d3986 97619->97622 97623 6d6350 22 API calls 97620->97623 97621->97626 97624 6d6350 22 API calls 97622->97624 97625 7133d7 97623->97625 97624->97626 97625->97626 97627 6d33c6 22 API calls 97625->97627 97628 6d39f9 Shell_NotifyIconW 97626->97628 97630 7133f9 97627->97630 97628->97629 97629->97596 97631 6d33c6 22 API calls 97630->97631 97631->97626 97632->97591 97633 6d1098 97638 6d42de 97633->97638 97637 6d10a7 97639 6da961 22 API calls 97638->97639 97640 6d42f5 GetVersionExW 97639->97640 97641 6d6b57 22 API calls 97640->97641 97642 6d4342 97641->97642 97643 6d93b2 22 API calls 97642->97643 97647 6d4378 97642->97647 97644 6d436c 97643->97644 97646 6d37a0 22 API calls 97644->97646 97645 6d441b GetCurrentProcess IsWow64Process 97648 6d4437 97645->97648 97646->97647 97647->97645 97655 7137df 97647->97655 97649 6d444f LoadLibraryA 97648->97649 97650 713824 GetSystemInfo 97648->97650 97651 6d449c GetSystemInfo 97649->97651 97652 6d4460 GetProcAddress 97649->97652 97654 6d4476 97651->97654 97652->97651 97653 6d4470 GetNativeSystemInfo 97652->97653 97653->97654 97656 6d447a FreeLibrary 97654->97656 97657 6d109d 97654->97657 97656->97657 97658 6f00a3 29 API calls __onexit 97657->97658 97658->97637 97659 6d105b 97664 6d344d 97659->97664 97661 6d106a 97695 6f00a3 29 API calls __onexit 97661->97695 97663 6d1074 97665 6d345d __wsopen_s 97664->97665 97666 6da961 22 API calls 97665->97666 97667 6d3513 97666->97667 97668 6d3a5a 24 API calls 97667->97668 97669 6d351c 97668->97669 97696 6d3357 97669->97696 97672 6d33c6 22 API calls 97673 6d3535 97672->97673 97674 6d515f 22 API calls 97673->97674 97675 6d3544 97674->97675 97676 6da961 22 API calls 97675->97676 97677 6d354d 97676->97677 97678 6da6c3 22 API calls 97677->97678 97679 6d3556 RegOpenKeyExW 97678->97679 97680 713176 RegQueryValueExW 97679->97680 97684 6d3578 97679->97684 97681 713193 97680->97681 97682 71320c RegCloseKey 97680->97682 97683 6efe0b 22 API calls 97681->97683 97682->97684 97694 71321e _wcslen 97682->97694 97685 7131ac 97683->97685 97684->97661 97687 6d5722 22 API calls 97685->97687 97686 6d4c6d 22 API calls 97686->97694 97688 7131b7 RegQueryValueExW 97687->97688 97689 7131d4 97688->97689 97691 7131ee messages 97688->97691 97690 6d6b57 22 API calls 97689->97690 97690->97691 97691->97682 97692 6d9cb3 22 API calls 97692->97694 97693 6d515f 22 API calls 97693->97694 97694->97684 97694->97686 97694->97692 97694->97693 97695->97663 97697 711f50 __wsopen_s 97696->97697 97698 6d3364 GetFullPathNameW 97697->97698 97699 6d3386 97698->97699 97700 6d6b57 22 API calls 97699->97700 97701 6d33a4 97700->97701 97701->97672 97702 6d2e37 97703 6da961 22 API calls 97702->97703 97704 6d2e4d 97703->97704 97781 6d4ae3 97704->97781 97706 6d2e6b 97707 6d3a5a 24 API calls 97706->97707 97708 6d2e7f 97707->97708 97709 6d9cb3 22 API calls 97708->97709 97710 6d2e8c 97709->97710 97711 6d4ecb 94 API calls 97710->97711 97712 6d2ea5 97711->97712 97713 6d2ead 97712->97713 97714 712cb0 97712->97714 97718 6da8c7 22 API calls 97713->97718 97715 742cf9 80 API calls 97714->97715 97716 712cc3 97715->97716 97717 712ccf 97716->97717 97719 6d4f39 68 API calls 97716->97719 97722 6d4f39 68 API calls 97717->97722 97720 6d2ec3 97718->97720 97719->97717 97795 6d6f88 22 API calls 97720->97795 97725 712ce5 97722->97725 97723 6d2ecf 97724 6d9cb3 22 API calls 97723->97724 97726 6d2edc 97724->97726 97811 6d3084 22 API calls 97725->97811 97796 6da81b 41 API calls 97726->97796 97728 6d2eec 97731 6d9cb3 22 API calls 97728->97731 97730 712d02 97812 6d3084 22 API calls 97730->97812 97733 6d2f12 97731->97733 97797 6da81b 41 API calls 97733->97797 97734 712d1e 97736 6d3a5a 24 API calls 97734->97736 97737 712d44 97736->97737 97813 6d3084 22 API calls 97737->97813 97738 6d2f21 97741 6da961 22 API calls 97738->97741 97740 712d50 97742 6da8c7 22 API calls 97740->97742 97743 6d2f3f 97741->97743 97745 712d5e 97742->97745 97798 6d3084 22 API calls 97743->97798 97814 6d3084 22 API calls 97745->97814 97746 6d2f4b 97799 6f4a28 40 API calls 3 library calls 97746->97799 97749 712d6d 97752 6da8c7 22 API calls 97749->97752 97750 6d2f59 97750->97725 97751 6d2f63 97750->97751 97800 6f4a28 40 API calls 3 library calls 97751->97800 97754 712d83 97752->97754 97815 6d3084 22 API calls 97754->97815 97755 6d2f6e 97755->97730 97757 6d2f78 97755->97757 97801 6f4a28 40 API calls 3 library calls 97757->97801 97758 712d90 97760 6d2f83 97760->97734 97761 6d2f8d 97760->97761 97802 6f4a28 40 API calls 3 library calls 97761->97802 97763 6d2f98 97764 6d2fdc 97763->97764 97803 6d3084 22 API calls 97763->97803 97764->97749 97765 6d2fe8 97764->97765 97765->97758 97805 6d63eb 22 API calls 97765->97805 97767 6d2fbf 97769 6da8c7 22 API calls 97767->97769 97771 6d2fcd 97769->97771 97770 6d2ff8 97806 6d6a50 22 API calls 97770->97806 97804 6d3084 22 API calls 97771->97804 97774 6d3006 97807 6d70b0 23 API calls 97774->97807 97778 6d3021 97779 6d3065 97778->97779 97808 6d6f88 22 API calls 97778->97808 97809 6d70b0 23 API calls 97778->97809 97810 6d3084 22 API calls 97778->97810 97782 6d4af0 __wsopen_s 97781->97782 97783 6d6b57 22 API calls 97782->97783 97784 6d4b22 97782->97784 97783->97784 97785 6d4c6d 22 API calls 97784->97785 97793 6d4b58 97784->97793 97785->97784 97786 6d9cb3 22 API calls 97788 6d4c52 97786->97788 97787 6d9cb3 22 API calls 97787->97793 97789 6d515f 22 API calls 97788->97789 97792 6d4c5e 97789->97792 97790 6d4c6d 22 API calls 97790->97793 97791 6d515f 22 API calls 97791->97793 97792->97706 97793->97787 97793->97790 97793->97791 97794 6d4c29 97793->97794 97794->97786 97794->97792 97795->97723 97796->97728 97797->97738 97798->97746 97799->97750 97800->97755 97801->97760 97802->97763 97803->97767 97804->97764 97805->97770 97806->97774 97807->97778 97808->97778 97809->97778 97810->97778 97811->97730 97812->97734 97813->97740 97814->97749 97815->97758 97816 6d3156 97819 6d3170 97816->97819 97820 6d3187 97819->97820 97821 6d318c 97820->97821 97822 6d31eb 97820->97822 97858 6d31e9 97820->97858 97823 6d3199 97821->97823 97824 6d3265 PostQuitMessage 97821->97824 97826 712dfb 97822->97826 97827 6d31f1 97822->97827 97829 6d31a4 97823->97829 97830 712e7c 97823->97830 97849 6d316a 97824->97849 97825 6d31d0 DefWindowProcW 97825->97849 97875 6d18e2 10 API calls 97826->97875 97831 6d321d SetTimer RegisterWindowMessageW 97827->97831 97832 6d31f8 97827->97832 97834 6d31ae 97829->97834 97835 712e68 97829->97835 97879 73bf30 34 API calls ___scrt_fastfail 97830->97879 97836 6d3246 CreatePopupMenu 97831->97836 97831->97849 97838 6d3201 KillTimer 97832->97838 97839 712d9c 97832->97839 97833 712e1c 97876 6ee499 42 API calls 97833->97876 97842 6d31b9 97834->97842 97843 712e4d 97834->97843 97864 73c161 97835->97864 97836->97849 97871 6d30f2 Shell_NotifyIconW ___scrt_fastfail 97838->97871 97845 712da1 97839->97845 97846 712dd7 MoveWindow 97839->97846 97850 6d31c4 97842->97850 97851 6d3253 97842->97851 97843->97825 97878 730ad7 22 API calls 97843->97878 97844 712e8e 97844->97825 97844->97849 97852 712da7 97845->97852 97853 712dc6 SetFocus 97845->97853 97846->97849 97848 6d3214 97872 6d3c50 DeleteObject DestroyWindow 97848->97872 97850->97825 97877 6d30f2 Shell_NotifyIconW ___scrt_fastfail 97850->97877 97873 6d326f 44 API calls ___scrt_fastfail 97851->97873 97852->97850 97856 712db0 97852->97856 97853->97849 97874 6d18e2 10 API calls 97856->97874 97858->97825 97859 6d3263 97859->97849 97862 712e41 97863 6d3837 49 API calls 97862->97863 97863->97858 97865 73c276 97864->97865 97866 73c179 ___scrt_fastfail 97864->97866 97865->97849 97867 6d3923 24 API calls 97866->97867 97869 73c1a0 97867->97869 97868 73c25f KillTimer SetTimer 97868->97865 97869->97868 97870 73c251 Shell_NotifyIconW 97869->97870 97870->97868 97871->97848 97872->97849 97873->97859 97874->97849 97875->97833 97876->97850 97877->97862 97878->97858 97879->97844 97880 6d1033 97885 6d4c91 97880->97885 97884 6d1042 97886 6da961 22 API calls 97885->97886 97887 6d4cff 97886->97887 97893 6d3af0 97887->97893 97889 6d4d9c 97891 6d1038 97889->97891 97896 6d51f7 22 API calls __fread_nolock 97889->97896 97892 6f00a3 29 API calls __onexit 97891->97892 97892->97884 97897 6d3b1c 97893->97897 97896->97889 97898 6d3b29 97897->97898 97899 6d3b0f 97897->97899 97898->97899 97900 6d3b30 RegOpenKeyExW 97898->97900 97899->97889 97900->97899 97901 6d3b4a RegQueryValueExW 97900->97901 97902 6d3b6b 97901->97902 97903 6d3b80 RegCloseKey 97901->97903 97902->97903 97903->97899

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 237 6d42de-6d434d call 6da961 GetVersionExW call 6d6b57 242 713617-71362a 237->242 243 6d4353 237->243 245 71362b-71362f 242->245 244 6d4355-6d4357 243->244 246 6d435d-6d43bc call 6d93b2 call 6d37a0 244->246 247 713656 244->247 248 713631 245->248 249 713632-71363e 245->249 265 7137df-7137e6 246->265 266 6d43c2-6d43c4 246->266 252 71365d-713660 247->252 248->249 249->245 251 713640-713642 249->251 251->244 254 713648-71364f 251->254 255 6d441b-6d4435 GetCurrentProcess IsWow64Process 252->255 256 713666-7136a8 252->256 254->242 258 713651 254->258 261 6d4494-6d449a 255->261 262 6d4437 255->262 256->255 259 7136ae-7136b1 256->259 258->247 263 7136b3-7136bd 259->263 264 7136db-7136e5 259->264 267 6d443d-6d4449 261->267 262->267 270 7136ca-7136d6 263->270 271 7136bf-7136c5 263->271 273 7136e7-7136f3 264->273 274 7136f8-713702 264->274 275 713806-713809 265->275 276 7137e8 265->276 266->252 272 6d43ca-6d43dd 266->272 268 6d444f-6d445e LoadLibraryA 267->268 269 713824-713828 GetSystemInfo 267->269 277 6d449c-6d44a6 GetSystemInfo 268->277 278 6d4460-6d446e GetProcAddress 268->278 270->255 271->255 279 713726-71372f 272->279 280 6d43e3-6d43e5 272->280 273->255 282 713715-713721 274->282 283 713704-713710 274->283 284 7137f4-7137fc 275->284 285 71380b-71381a 275->285 281 7137ee 276->281 287 6d4476-6d4478 277->287 278->277 286 6d4470-6d4474 GetNativeSystemInfo 278->286 290 713731-713737 279->290 291 71373c-713748 279->291 288 6d43eb-6d43ee 280->288 289 71374d-713762 280->289 281->284 282->255 283->255 284->275 285->281 292 71381c-713822 285->292 286->287 295 6d447a-6d447b FreeLibrary 287->295 296 6d4481-6d4493 287->296 297 713791-713794 288->297 298 6d43f4-6d440f 288->298 293 713764-71376a 289->293 294 71376f-71377b 289->294 290->255 291->255 292->284 293->255 294->255 295->296 297->255 299 71379a-7137c1 297->299 300 713780-71378c 298->300 301 6d4415 298->301 302 7137c3-7137c9 299->302 303 7137ce-7137da 299->303 300->255 301->255 302->255 303->255
                                            APIs
                                            • GetVersionExW.KERNEL32(?), ref: 006D430D
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                            • GetCurrentProcess.KERNEL32(?,0076CB64,00000000,?,?), ref: 006D4422
                                            • IsWow64Process.KERNEL32(00000000,?,?), ref: 006D4429
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006D4454
                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006D4466
                                            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006D4474
                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 006D447B
                                            • GetSystemInfo.KERNEL32(?,?,?), ref: 006D44A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                            • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                            • API String ID: 3290436268-3101561225
                                            • Opcode ID: 5e58d419d6dfeb18fa973428e244d21e4e5ef5a0b52b42e5afb7f7e9ab991676
                                            • Instruction ID: 569a3738feeeae290c9a7606aa7d775ee12e45a2e80a7a97d16c6f5d36e87631
                                            • Opcode Fuzzy Hash: 5e58d419d6dfeb18fa973428e244d21e4e5ef5a0b52b42e5afb7f7e9ab991676
                                            • Instruction Fuzzy Hash: 1AA1A465D0A2C0DFEF12CF6D78801E57FE5ABA7340F88C89AD08197B61D67C4949CB29

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1174 6d42a2-6d42ba CreateStreamOnHGlobal 1175 6d42bc-6d42d3 FindResourceExW 1174->1175 1176 6d42da-6d42dd 1174->1176 1177 6d42d9 1175->1177 1178 7135ba-7135c9 LoadResource 1175->1178 1177->1176 1178->1177 1179 7135cf-7135dd SizeofResource 1178->1179 1179->1177 1180 7135e3-7135ee LockResource 1179->1180 1180->1177 1181 7135f4-713612 1180->1181 1181->1177
                                            APIs
                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006D50AA,?,?,00000000,00000000), ref: 006D42B2
                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006D50AA,?,?,00000000,00000000), ref: 006D42C9
                                            • LoadResource.KERNEL32(?,00000000,?,?,006D50AA,?,?,00000000,00000000,?,?,?,?,?,?,006D4F20), ref: 007135BE
                                            • SizeofResource.KERNEL32(?,00000000,?,?,006D50AA,?,?,00000000,00000000,?,?,?,?,?,?,006D4F20), ref: 007135D3
                                            • LockResource.KERNEL32(006D50AA,?,?,006D50AA,?,?,00000000,00000000,?,?,?,?,?,?,006D4F20,?), ref: 007135E6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                            • String ID: SCRIPT
                                            • API String ID: 3051347437-3967369404
                                            • Opcode ID: 246a075dd664262b1961dfb6f7a89e26ad9afcf8139f8b6a19e43dc05d42bf46
                                            • Instruction ID: 8f7659fde18478b6f866f0df50208c0ada4bf0b7bd2b3275a48622568657523e
                                            • Opcode Fuzzy Hash: 246a075dd664262b1961dfb6f7a89e26ad9afcf8139f8b6a19e43dc05d42bf46
                                            • Instruction Fuzzy Hash: BB117C70600701BFE7228B65DC49F677BBAEFC5B51F10816AF847D6290DBB1DD008660

                                            Control-flow Graph

                                            APIs
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 006D2B6B
                                              • Part of subcall function 006D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007A1418,?,006D2E7F,?,?,?,00000000), ref: 006D3A78
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • GetForegroundWindow.USER32(runas,?,?,?,?,?,00792224), ref: 00712C10
                                            • ShellExecuteW.SHELL32(00000000,?,?,00792224), ref: 00712C17
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                            • String ID: runas
                                            • API String ID: 448630720-4000483414
                                            • Opcode ID: b1e5703fa987abb7ec6dc717fe2bdc8aca9feec1c0e181e032dfbafbcf270733
                                            • Instruction ID: d643540db0769af3fb9bac1b6c5997cb7f89ac590afa182eb39c11fd9de8d72d
                                            • Opcode Fuzzy Hash: b1e5703fa987abb7ec6dc717fe2bdc8aca9feec1c0e181e032dfbafbcf270733
                                            • Instruction Fuzzy Hash: 28112C31E083915AD755FF64D8519BE7BA69FE5744F44442FF082023A3CF68894AC71B
                                            APIs
                                            • lstrlenW.KERNEL32(?,00715222), ref: 0073DBCE
                                            • GetFileAttributesW.KERNELBASE(?), ref: 0073DBDD
                                            • FindFirstFileW.KERNELBASE(?,?), ref: 0073DBEE
                                            • FindClose.KERNEL32(00000000), ref: 0073DBFA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FileFind$AttributesCloseFirstlstrlen
                                            • String ID:
                                            • API String ID: 2695905019-0
                                            • Opcode ID: 72eac06d1bf322ed8667c13715d8a6a76d7f68eff1fb54395183526af14965d0
                                            • Instruction ID: 643c8daf687ae83e39368bfd93b56a5a334912e88e81bdc431b8eb0b8de2b057
                                            • Opcode Fuzzy Hash: 72eac06d1bf322ed8667c13715d8a6a76d7f68eff1fb54395183526af14965d0
                                            • Instruction Fuzzy Hash: BFF0A7704206145FA2316B78AC0D47A776CAE01334F108702F876C10E1EBF89D5485AA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper
                                            • String ID: p#z
                                            • API String ID: 3964851224-2781437441
                                            • Opcode ID: 4353d340038b8781b25c754cce0d61516d8a02669ad14510780a11602f3207dc
                                            • Instruction ID: 8bf7a7f724639f46705f99f24b0665224643b1b2148bf040f0109dbad4b50b56
                                            • Opcode Fuzzy Hash: 4353d340038b8781b25c754cce0d61516d8a02669ad14510780a11602f3207dc
                                            • Instruction Fuzzy Hash: 0FA27D70A08355DFD710CF18C480B6ABBE2BF89314F14896EE89A9B352D775EC45CB92
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: InputSleepStateTimetime
                                            • String ID:
                                            • API String ID: 4149333218-0
                                            • Opcode ID: 50d80c61b57ca0660791f4a6cbac6c5859c92e9bad0082ebdb11b9a33e03ddd3
                                            • Instruction ID: 5a069a0b059f65590e8d978a29e9aa72318cd83de11aca0ebc9c769064dfa5ce
                                            • Opcode Fuzzy Hash: 50d80c61b57ca0660791f4a6cbac6c5859c92e9bad0082ebdb11b9a33e03ddd3
                                            • Instruction Fuzzy Hash: EB423670A04341EFD725EF24C844BAAB7E2BF86304F14851EF8568B392D779E845CB92

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 006D2D07
                                            • RegisterClassExW.USER32(00000030), ref: 006D2D31
                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D2D42
                                            • InitCommonControlsEx.COMCTL32(?), ref: 006D2D5F
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006D2D6F
                                            • LoadIconW.USER32(000000A9), ref: 006D2D85
                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006D2D94
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                            • API String ID: 2914291525-1005189915
                                            • Opcode ID: abf4921485fad8f7decfba4dde7d85d2729b00000cda5d9487c7e036090d72f4
                                            • Instruction ID: d41e656721f8152c92dd79ceb61baa6bd4ecab2fdab06af11c530d46052495e0
                                            • Opcode Fuzzy Hash: abf4921485fad8f7decfba4dde7d85d2729b00000cda5d9487c7e036090d72f4
                                            • Instruction Fuzzy Hash: 712127B0901358AFEB01DFA4EC48BEEBBB4FB48700F00811AF552A62A0D7B91544CF99

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 305 708d45-708d55 306 708d57-708d6a call 6ff2c6 call 6ff2d9 305->306 307 708d6f-708d71 305->307 321 7090f1 306->321 308 708d77-708d7d 307->308 309 7090d9-7090e6 call 6ff2c6 call 6ff2d9 307->309 308->309 311 708d83-708dae 308->311 326 7090ec call 7027ec 309->326 311->309 315 708db4-708dbd 311->315 319 708dd7-708dd9 315->319 320 708dbf-708dd2 call 6ff2c6 call 6ff2d9 315->320 324 7090d5-7090d7 319->324 325 708ddf-708de3 319->325 320->326 327 7090f4-7090f9 321->327 324->327 325->324 329 708de9-708ded 325->329 326->321 329->320 332 708def-708e06 329->332 334 708e23-708e2c 332->334 335 708e08-708e0b 332->335 336 708e4a-708e54 334->336 337 708e2e-708e45 call 6ff2c6 call 6ff2d9 call 7027ec 334->337 338 708e15-708e1e 335->338 339 708e0d-708e13 335->339 342 708e56-708e58 336->342 343 708e5b-708e79 call 703820 call 7029c8 * 2 336->343 370 70900c 337->370 340 708ebf-708ed9 338->340 339->337 339->338 345 708fad-708fb6 call 70f89b 340->345 346 708edf-708eef 340->346 342->343 374 708e96-708ebc call 709424 343->374 375 708e7b-708e91 call 6ff2d9 call 6ff2c6 343->375 357 708fb8-708fca 345->357 358 709029 345->358 346->345 350 708ef5-708ef7 346->350 350->345 354 708efd-708f23 350->354 354->345 359 708f29-708f3c 354->359 357->358 364 708fcc-708fdb GetConsoleMode 357->364 362 70902d-709045 ReadFile 358->362 359->345 365 708f3e-708f40 359->365 368 7090a1-7090ac GetLastError 362->368 369 709047-70904d 362->369 364->358 371 708fdd-708fe1 364->371 365->345 366 708f42-708f6d 365->366 366->345 373 708f6f-708f82 366->373 376 7090c5-7090c8 368->376 377 7090ae-7090c0 call 6ff2d9 call 6ff2c6 368->377 369->368 378 70904f 369->378 372 70900f-709019 call 7029c8 370->372 371->362 379 708fe3-708ffd ReadConsoleW 371->379 372->327 373->345 381 708f84-708f86 373->381 374->340 375->370 388 709005-70900b call 6ff2a3 376->388 389 7090ce-7090d0 376->389 377->370 385 709052-709064 378->385 386 70901e-709027 379->386 387 708fff GetLastError 379->387 381->345 391 708f88-708fa8 381->391 385->372 395 709066-70906a 385->395 386->385 387->388 388->370 389->372 391->345 399 709083-70908e 395->399 400 70906c-70907c call 708a61 395->400 405 709090 call 708bb1 399->405 406 70909a-70909f call 7088a1 399->406 412 70907f-709081 400->412 410 709095-709098 405->410 406->410 410->412 412->372
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .o
                                            • API String ID: 0-1957372423
                                            • Opcode ID: a2d2d4247ac27b2bcf4d84df3ef3fe38d0109192b34bf9c5af5081b4b5290163
                                            • Instruction ID: 828c8c3f5b6c32db5ec654f076e1baca557b93afdc6cd4675d5c4b882d78edf1
                                            • Opcode Fuzzy Hash: a2d2d4247ac27b2bcf4d84df3ef3fe38d0109192b34bf9c5af5081b4b5290163
                                            • Instruction Fuzzy Hash: E3C1F174A0424AEFDB51DFA8C844BADBBF1AF49310F044299F654AB3D3C7389941CB61

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 413 71065b-71068b call 71042f 416 7106a6-7106b2 call 705221 413->416 417 71068d-710698 call 6ff2c6 413->417 423 7106b4-7106c9 call 6ff2c6 call 6ff2d9 416->423 424 7106cb-710714 call 71039a 416->424 422 71069a-7106a1 call 6ff2d9 417->422 434 71097d-710983 422->434 423->422 432 710781-71078a GetFileType 424->432 433 710716-71071f 424->433 438 7107d3-7107d6 432->438 439 71078c-7107bd GetLastError call 6ff2a3 CloseHandle 432->439 436 710721-710725 433->436 437 710756-71077c GetLastError call 6ff2a3 433->437 436->437 443 710727-710754 call 71039a 436->443 437->422 441 7107d8-7107dd 438->441 442 7107df-7107e5 438->442 439->422 450 7107c3-7107ce call 6ff2d9 439->450 446 7107e9-710837 call 70516a 441->446 442->446 447 7107e7 442->447 443->432 443->437 456 710847-71086b call 71014d 446->456 457 710839-710845 call 7105ab 446->457 447->446 450->422 462 71086d 456->462 463 71087e-7108c1 456->463 457->456 464 71086f-710879 call 7086ae 457->464 462->464 466 7108c3-7108c7 463->466 467 7108e2-7108f0 463->467 464->434 466->467 469 7108c9-7108dd 466->469 470 7108f6-7108fa 467->470 471 71097b 467->471 469->467 470->471 472 7108fc-71092f CloseHandle call 71039a 470->472 471->434 475 710931-71095d GetLastError call 6ff2a3 call 705333 472->475 476 710963-710977 472->476 475->476 476->471
                                            APIs
                                              • Part of subcall function 0071039A: CreateFileW.KERNELBASE(00000000,00000000,?,00710704,?,?,00000000,?,00710704,00000000,0000000C), ref: 007103B7
                                            • GetLastError.KERNEL32 ref: 0071076F
                                            • __dosmaperr.LIBCMT ref: 00710776
                                            • GetFileType.KERNELBASE(00000000), ref: 00710782
                                            • GetLastError.KERNEL32 ref: 0071078C
                                            • __dosmaperr.LIBCMT ref: 00710795
                                            • CloseHandle.KERNEL32(00000000), ref: 007107B5
                                            • CloseHandle.KERNEL32(?), ref: 007108FF
                                            • GetLastError.KERNEL32 ref: 00710931
                                            • __dosmaperr.LIBCMT ref: 00710938
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                            • String ID: H
                                            • API String ID: 4237864984-2852464175
                                            • Opcode ID: 3d7b2947b5edf9c0b645642d35edd098d24897b8e53abf504cab54786642d6e1
                                            • Instruction ID: de18356d564fffede57596023328c43ca7459cb933514b6fe10b67b89811eae9
                                            • Opcode Fuzzy Hash: 3d7b2947b5edf9c0b645642d35edd098d24897b8e53abf504cab54786642d6e1
                                            • Instruction Fuzzy Hash: 17A14332A001088FDF19AF6CD895BEE3BA1AF46320F14415DF811AB3D1C7799992CBD5

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 006D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007A1418,?,006D2E7F,?,?,?,00000000), ref: 006D3A78
                                              • Part of subcall function 006D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006D3379
                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006D356A
                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0071318D
                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007131CE
                                            • RegCloseKey.ADVAPI32(?), ref: 00713210
                                            • _wcslen.LIBCMT ref: 00713277
                                            • _wcslen.LIBCMT ref: 00713286
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                            • API String ID: 98802146-2727554177
                                            • Opcode ID: 227d8177f31fa50011be29bc157113e27b006b11e8a3cf1483aee022b39d4c24
                                            • Instruction ID: dc0eb2053d3abf49d6fd92b1ba64864e9878e76d5ca4e9013eeafbc660286080
                                            • Opcode Fuzzy Hash: 227d8177f31fa50011be29bc157113e27b006b11e8a3cf1483aee022b39d4c24
                                            • Instruction Fuzzy Hash: A571B6715043009FC744EF69DC418ABBBE8FF86740F40842EF545872B1EB789A49CB59

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 006D2B8E
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 006D2B9D
                                            • LoadIconW.USER32(00000063), ref: 006D2BB3
                                            • LoadIconW.USER32(000000A4), ref: 006D2BC5
                                            • LoadIconW.USER32(000000A2), ref: 006D2BD7
                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006D2BEF
                                            • RegisterClassExW.USER32(?), ref: 006D2C40
                                              • Part of subcall function 006D2CD4: GetSysColorBrush.USER32(0000000F), ref: 006D2D07
                                              • Part of subcall function 006D2CD4: RegisterClassExW.USER32(00000030), ref: 006D2D31
                                              • Part of subcall function 006D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D2D42
                                              • Part of subcall function 006D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006D2D5F
                                              • Part of subcall function 006D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006D2D6F
                                              • Part of subcall function 006D2CD4: LoadIconW.USER32(000000A9), ref: 006D2D85
                                              • Part of subcall function 006D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006D2D94
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                            • String ID: #$0$AutoIt v3
                                            • API String ID: 423443420-4155596026
                                            • Opcode ID: f6d9fe7856e3c8a7354fb36c54262a62cdc0eea2523d96967e22a9d9ffcae6af
                                            • Instruction ID: 7553c93a847984972d24c8f2b4edff7a2396c84a6737d1a18b6c23467bec22d9
                                            • Opcode Fuzzy Hash: f6d9fe7856e3c8a7354fb36c54262a62cdc0eea2523d96967e22a9d9ffcae6af
                                            • Instruction Fuzzy Hash: A7213874E00328AFEF119FA5EC55AA97FF4FB89B50F40802AE505A66A0D3B90540CF98

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 554 6d3170-6d3185 555 6d31e5-6d31e7 554->555 556 6d3187-6d318a 554->556 555->556 559 6d31e9 555->559 557 6d318c-6d3193 556->557 558 6d31eb 556->558 560 6d3199-6d319e 557->560 561 6d3265-6d326d PostQuitMessage 557->561 563 712dfb-712e23 call 6d18e2 call 6ee499 558->563 564 6d31f1-6d31f6 558->564 562 6d31d0-6d31d8 DefWindowProcW 559->562 566 6d31a4-6d31a8 560->566 567 712e7c-712e90 call 73bf30 560->567 569 6d3219-6d321b 561->569 568 6d31de-6d31e4 562->568 598 712e28-712e2f 563->598 570 6d321d-6d3244 SetTimer RegisterWindowMessageW 564->570 571 6d31f8-6d31fb 564->571 573 6d31ae-6d31b3 566->573 574 712e68-712e72 call 73c161 566->574 567->569 592 712e96 567->592 569->568 570->569 575 6d3246-6d3251 CreatePopupMenu 570->575 577 6d3201-6d3214 KillTimer call 6d30f2 call 6d3c50 571->577 578 712d9c-712d9f 571->578 581 6d31b9-6d31be 573->581 582 712e4d-712e54 573->582 588 712e77 574->588 575->569 577->569 584 712da1-712da5 578->584 585 712dd7-712df6 MoveWindow 578->585 590 6d31c4-6d31ca 581->590 591 6d3253-6d3263 call 6d326f 581->591 582->562 595 712e5a-712e63 call 730ad7 582->595 593 712da7-712daa 584->593 594 712dc6-712dd2 SetFocus 584->594 585->569 588->569 590->562 590->598 591->569 592->562 593->590 599 712db0-712dc1 call 6d18e2 593->599 594->569 595->562 598->562 603 712e35-712e48 call 6d30f2 call 6d3837 598->603 599->569 603->562
                                            APIs
                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006D316A,?,?), ref: 006D31D8
                                            • KillTimer.USER32(?,00000001,?,?,?,?,?,006D316A,?,?), ref: 006D3204
                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006D3227
                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006D316A,?,?), ref: 006D3232
                                            • CreatePopupMenu.USER32 ref: 006D3246
                                            • PostQuitMessage.USER32(00000000), ref: 006D3267
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                            • String ID: TaskbarCreated
                                            • API String ID: 129472671-2362178303
                                            • Opcode ID: 6e64a3d7810ccf1134e4c719745f5b1c9a230bc79054236fef289f36023ce565
                                            • Instruction ID: 317a016b31a23cfbf3fec66c0101b0bc463eafdfe01ad8dcbd26cf9c7b3828b7
                                            • Opcode Fuzzy Hash: 6e64a3d7810ccf1134e4c719745f5b1c9a230bc79054236fef289f36023ce565
                                            • Instruction Fuzzy Hash: A2414C35E00261A7EF151F789C0D7B9361BE786340F048127F542853E2C7AE9B4197AB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D%z$D%z$D%z$D%z$D%zD%z$Variable must be of type 'Object'.
                                            • API String ID: 0-1874280672
                                            • Opcode ID: 9e5b22628fe4105a6260a46c776eda50ec79dcd26f6efb3eb1fd9fa0a3997ead
                                            • Instruction ID: 1b46072e2f65bd35412a9813bf7e5d9bcaff1260729c27f0cccc1bcf8af2f3bc
                                            • Opcode Fuzzy Hash: 9e5b22628fe4105a6260a46c776eda50ec79dcd26f6efb3eb1fd9fa0a3997ead
                                            • Instruction Fuzzy Hash: 43C28F71E00215CFCB24EF58D880AADB7B2BF49310F24855AE915AF351D37AED42CB95

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1120 1212488-1212536 call 120fed8 1123 121253d-1212563 call 1213398 CreateFileW 1120->1123 1126 1212565 1123->1126 1127 121256a-121257a 1123->1127 1128 12126b5-12126b9 1126->1128 1135 1212581-121259b VirtualAlloc 1127->1135 1136 121257c 1127->1136 1129 12126fb-12126fe 1128->1129 1130 12126bb-12126bf 1128->1130 1132 1212701-1212708 1129->1132 1133 12126c1-12126c4 1130->1133 1134 12126cb-12126cf 1130->1134 1137 121270a-1212715 1132->1137 1138 121275d-1212772 1132->1138 1133->1134 1139 12126d1-12126db 1134->1139 1140 12126df-12126e3 1134->1140 1141 12125a2-12125b9 ReadFile 1135->1141 1142 121259d 1135->1142 1136->1128 1145 1212717 1137->1145 1146 1212719-1212725 1137->1146 1147 1212782-121278a 1138->1147 1148 1212774-121277f VirtualFree 1138->1148 1139->1140 1149 12126f3 1140->1149 1150 12126e5-12126ef 1140->1150 1143 12125c0-1212600 VirtualAlloc 1141->1143 1144 12125bb 1141->1144 1142->1128 1151 1212602 1143->1151 1152 1212607-1212622 call 12135e8 1143->1152 1144->1128 1145->1138 1153 1212727-1212737 1146->1153 1154 1212739-1212745 1146->1154 1148->1147 1149->1129 1150->1149 1151->1128 1160 121262d-1212637 1152->1160 1156 121275b 1153->1156 1157 1212752-1212758 1154->1157 1158 1212747-1212750 1154->1158 1156->1132 1157->1156 1158->1156 1161 1212639-1212668 call 12135e8 1160->1161 1162 121266a-121267e call 12133f8 1160->1162 1161->1160 1168 1212680 1162->1168 1169 1212682-1212686 1162->1169 1168->1128 1170 1212692-1212696 1169->1170 1171 1212688-121268c CloseHandle 1169->1171 1172 12126a6-12126af 1170->1172 1173 1212698-12126a3 VirtualFree 1170->1173 1171->1170 1172->1123 1172->1128 1173->1172
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01212559
                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0121277F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389830799.000000000120F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0120F000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_120f000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateFileFreeVirtual
                                            • String ID:
                                            • API String ID: 204039940-0
                                            • Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                            • Instruction ID: 09a2e31c8aed68b784186cabfa57eb9d925b7935307bfe9f02ea6a8cd1d6b22b
                                            • Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                            • Instruction Fuzzy Hash: 5FA13770E10209EFDB14CFA4C895BEEBBB5BF58304F208559E601BB284D7759A41CF54

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1184 6d2c63-6d2cd3 CreateWindowExW * 2 ShowWindow * 2
                                            APIs
                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006D2C91
                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006D2CB2
                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,006D1CAD,?), ref: 006D2CC6
                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,006D1CAD,?), ref: 006D2CCF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$CreateShow
                                            • String ID: AutoIt v3$edit
                                            • API String ID: 1584632944-3779509399
                                            • Opcode ID: 8af7501be3801dd75187bb8726b3ba6a6747097ff38a971ee5dfa69d0d93c0a4
                                            • Instruction ID: 787d24c39cf6fb796c215e81ff7ac9d04635382443816d346e496bd3e0d5c981
                                            • Opcode Fuzzy Hash: 8af7501be3801dd75187bb8726b3ba6a6747097ff38a971ee5dfa69d0d93c0a4
                                            • Instruction Fuzzy Hash: A2F0DA765403A07AFB311B17AC08E773EBDD7C7F61F40805AF900A29A0C6A91850DEB8

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1299 1212288-1212388 call 120fed8 call 1212178 CreateFileW 1306 121238a 1299->1306 1307 121238f-121239f 1299->1307 1308 121243f-1212444 1306->1308 1310 12123a1 1307->1310 1311 12123a6-12123c0 VirtualAlloc 1307->1311 1310->1308 1312 12123c2 1311->1312 1313 12123c4-12123db ReadFile 1311->1313 1312->1308 1314 12123dd 1313->1314 1315 12123df-1212419 call 12121b8 call 1211178 1313->1315 1314->1308 1320 1212435-121243d ExitProcess 1315->1320 1321 121241b-1212430 call 1212208 1315->1321 1320->1308 1321->1320
                                            APIs
                                              • Part of subcall function 01212178: Sleep.KERNELBASE(000001F4), ref: 01212189
                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0121237E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389830799.000000000120F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0120F000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_120f000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateFileSleep
                                            • String ID: DDEARHOC4I1D
                                            • API String ID: 2694422964-2836395306
                                            • Opcode ID: b630480de3b69e828777f95900b7e5a00fea5ee87e204c6ed3f0628d4b52872a
                                            • Instruction ID: ac554d697a448d5891768e0a4de26602c41a4cc1fe9de828dbe926d867f43003
                                            • Opcode Fuzzy Hash: b630480de3b69e828777f95900b7e5a00fea5ee87e204c6ed3f0628d4b52872a
                                            • Instruction Fuzzy Hash: 3A51A471D5425ADBEF11DBE4C805BEEBBB5AF58300F1041A8E708BB2C4D6B90B44CBA5

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1323 742947-7429b9 call 711f50 call 7425d6 call 6efe0b call 6d5722 call 74274e call 6d511f call 6f5232 1338 742a6c-742a73 call 742e66 1323->1338 1339 7429bf-7429c6 call 742e66 1323->1339 1344 742a75-742a77 1338->1344 1345 742a7c 1338->1345 1339->1344 1346 7429cc-742a6a call 6fd583 call 6f4983 call 6f9038 call 6fd583 call 6f9038 * 2 1339->1346 1347 742cb6-742cb7 1344->1347 1349 742a7f-742b3a call 6d50f5 * 8 call 743017 call 6fe5eb 1345->1349 1346->1349 1350 742cd5-742cdb 1347->1350 1388 742b43-742b5e call 742792 1349->1388 1389 742b3c-742b3e 1349->1389 1353 742cf0-742cf6 1350->1353 1354 742cdd-742ce8 call 6efdcd call 6efe14 1350->1354 1368 742ced 1354->1368 1368->1353 1392 742b64-742b6c 1388->1392 1393 742bf0-742bfc call 6fe678 1388->1393 1389->1347 1394 742b74 1392->1394 1395 742b6e-742b72 1392->1395 1400 742c12-742c16 1393->1400 1401 742bfe-742c0d DeleteFileW 1393->1401 1397 742b79-742b97 call 6d50f5 1394->1397 1395->1397 1407 742bc1-742bd7 call 74211d call 6fdbb3 1397->1407 1408 742b99-742b9e 1397->1408 1403 742c91-742ca5 CopyFileW 1400->1403 1404 742c18-742c7e call 7425d6 call 6fd2eb * 2 call 7422ce 1400->1404 1401->1347 1405 742ca7-742cb4 DeleteFileW 1403->1405 1406 742cb9-742ccf DeleteFileW call 742fd8 1403->1406 1404->1406 1428 742c80-742c8f DeleteFileW 1404->1428 1405->1347 1415 742cd4 1406->1415 1421 742bdc-742be7 1407->1421 1412 742ba1-742bb4 call 7428d2 1408->1412 1422 742bb6-742bbf 1412->1422 1415->1350 1421->1392 1425 742bed 1421->1425 1422->1407 1425->1393 1428->1347
                                            APIs
                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00742C05
                                            • DeleteFileW.KERNEL32(?), ref: 00742C87
                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00742C9D
                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00742CAE
                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00742CC0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: File$Delete$Copy
                                            • String ID:
                                            • API String ID: 3226157194-0
                                            • Opcode ID: 68c8dd588080682e63b00deb44ceb79574afa5dea8e276c082dfef4a09e66a6a
                                            • Instruction ID: 445dfe9723d1cc7f5bda5f376bfaf13b66ee5bf9e829e6538597da3803ab7554
                                            • Opcode Fuzzy Hash: 68c8dd588080682e63b00deb44ceb79574afa5dea8e276c082dfef4a09e66a6a
                                            • Instruction Fuzzy Hash: 10B16EB1D0011DABDF11DBA4CC85EEEBB7DEF48300F5040AAFA09E6152EB349A558F65

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1429 705aa9-705ace 1430 705ad0-705ad2 1429->1430 1431 705ad7-705ad9 1429->1431 1432 705ca5-705cb4 call 6f0a8c 1430->1432 1433 705afa-705b1f 1431->1433 1434 705adb-705af5 call 6ff2c6 call 6ff2d9 call 7027ec 1431->1434 1436 705b21-705b24 1433->1436 1437 705b26-705b2c 1433->1437 1434->1432 1436->1437 1440 705b4e-705b53 1436->1440 1441 705b4b 1437->1441 1442 705b2e-705b46 call 6ff2c6 call 6ff2d9 call 7027ec 1437->1442 1445 705b64-705b6d call 70564e 1440->1445 1446 705b55-705b61 call 709424 1440->1446 1441->1440 1474 705c9c-705c9f 1442->1474 1457 705ba8-705bba 1445->1457 1458 705b6f-705b71 1445->1458 1446->1445 1460 705c02-705c23 WriteFile 1457->1460 1461 705bbc-705bc2 1457->1461 1462 705b73-705b78 1458->1462 1463 705b95-705b9e call 70542e 1458->1463 1469 705c25-705c2b GetLastError 1460->1469 1470 705c2e 1460->1470 1465 705bf2-705c00 call 7056c4 1461->1465 1466 705bc4-705bc7 1461->1466 1467 705c6c-705c7e 1462->1467 1468 705b7e-705b8b call 7055e1 1462->1468 1473 705ba3-705ba6 1463->1473 1465->1473 1476 705be2-705bf0 call 705891 1466->1476 1477 705bc9-705bcc 1466->1477 1480 705c80-705c83 1467->1480 1481 705c89-705c99 call 6ff2d9 call 6ff2c6 1467->1481 1482 705b8e-705b90 1468->1482 1469->1470 1475 705c31-705c3c 1470->1475 1473->1482 1487 705ca4 1474->1487 1484 705ca1 1475->1484 1485 705c3e-705c43 1475->1485 1476->1473 1477->1467 1486 705bd2-705be0 call 7057a3 1477->1486 1480->1481 1491 705c85-705c87 1480->1491 1481->1474 1482->1475 1484->1487 1493 705c45-705c4a 1485->1493 1494 705c69 1485->1494 1486->1473 1487->1432 1491->1487 1498 705c60-705c67 call 6ff2a3 1493->1498 1499 705c4c-705c5e call 6ff2d9 call 6ff2c6 1493->1499 1494->1467 1498->1474 1499->1474
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: JOm
                                            • API String ID: 0-3333332779
                                            • Opcode ID: cde4c688588551de0a28c681058d18ecc55db013d10646234923373592580bfd
                                            • Instruction ID: ec307cee2fc0882e5dbade6ab52665bad6e072e5f87d58178f11db81b096e02d
                                            • Opcode Fuzzy Hash: cde4c688588551de0a28c681058d18ecc55db013d10646234923373592580bfd
                                            • Instruction Fuzzy Hash: 3451CEB190060AEFDF219FA4C849EBFBBF9AF45314F14025AF405A72D2D6799A01CF61
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006D3B0F,SwapMouseButtons,00000004,?), ref: 006D3B40
                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006D3B0F,SwapMouseButtons,00000004,?), ref: 006D3B61
                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006D3B0F,SwapMouseButtons,00000004,?), ref: 006D3B83
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID: Control Panel\Mouse
                                            • API String ID: 3677997916-824357125
                                            • Opcode ID: 2a1ac18a7148543ce1773203751be109abdcc8a83c13f953537b7875f6a4ae53
                                            • Instruction ID: a016f2bcac2245288c30e5814549a6a72c063dfa92362300d28b2eb19b8a528d
                                            • Opcode Fuzzy Hash: 2a1ac18a7148543ce1773203751be109abdcc8a83c13f953537b7875f6a4ae53
                                            • Instruction Fuzzy Hash: 64112AB5910218FFDB218FA5DC44AEEB7B9EF24744B10846BE845D7310E2719E409765
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 012119A5
                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012119C9
                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012119EB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389830799.000000000120F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0120F000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_120f000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                            • String ID:
                                            • API String ID: 2438371351-0
                                            • Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                            • Instruction ID: 08b684743ce4ebeb12d8c17207cb8498e6ee0bb2a41621bd56e10460f119064f
                                            • Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                            • Instruction Fuzzy Hash: 8362F030A24219DBEB24CFA4C841BDEB776FF68300F1051A9D20DEB294E7759E91CB55
                                            APIs
                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007133A2
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 006D3A04
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: IconLoadNotifyShell_String_wcslen
                                            • String ID: Line:
                                            • API String ID: 2289894680-1585850449
                                            • Opcode ID: 792bf2d108039819a8f3a339dce32b960f52f08debc26de41ca1c495deba0cd0
                                            • Instruction ID: 0354fac024e60cba6414f79df7e83547fb0b576bcdba87e76b01c74a7e09d29a
                                            • Opcode Fuzzy Hash: 792bf2d108039819a8f3a339dce32b960f52f08debc26de41ca1c495deba0cd0
                                            • Instruction Fuzzy Hash: 6531E171908324AED761EF20DC45BEBB7D9AB81710F00492FF59982391EB749A48C7DB
                                            APIs
                                            • GetOpenFileNameW.COMDLG32(?), ref: 00712C8C
                                              • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                                              • Part of subcall function 006D2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006D2DC4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Name$Path$FileFullLongOpen
                                            • String ID: X$`ey
                                            • API String ID: 779396738-2559956516
                                            • Opcode ID: e94d857ff92967d5dc60788d4c5aeac331d5f787aa5bd4110fd4c6f216114c4d
                                            • Instruction ID: f3acd069783520a3427f4d5b7f73361928434ce1b4181c12e51c1640b2e94f7e
                                            • Opcode Fuzzy Hash: e94d857ff92967d5dc60788d4c5aeac331d5f787aa5bd4110fd4c6f216114c4d
                                            • Instruction Fuzzy Hash: 8F21D571E002989FCF41EF94D805BEE7BFDAF49304F00805AE505A7381DBB85A898FA5
                                            APIs
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 006F0668
                                              • Part of subcall function 006F32A4: RaiseException.KERNEL32(?,?,?,006F068A,?,007A1444,?,?,?,?,?,?,006F068A,006D1129,00798738,006D1129), ref: 006F3304
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 006F0685
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$ExceptionRaise
                                            • String ID: Unknown exception
                                            • API String ID: 3476068407-410509341
                                            • Opcode ID: 9624c099be955ac27282aee6e8feb6b4d6941a1a7faf43a8a943944316501cc5
                                            • Instruction ID: b9d73844da9c657c03d5d666fbaf22f2a80c3876ad2761b0dae18602de265253
                                            • Opcode Fuzzy Hash: 9624c099be955ac27282aee6e8feb6b4d6941a1a7faf43a8a943944316501cc5
                                            • Instruction Fuzzy Hash: 81F0AF2490030D678F40BBA5EC46CBE7B6E5E40350B604139BA14D6697EF71EA268685
                                            APIs
                                            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0074302F
                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00743044
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Temp$FileNamePath
                                            • String ID: aut
                                            • API String ID: 3285503233-3010740371
                                            • Opcode ID: 12435f73c79b8c93f44dd01208a040813a5f9e4d8c42e0d4135ebda64f38900d
                                            • Instruction ID: c0ca576805dbb845f597cac923ba711d507ade49646d5fa07fe5abf165e31afc
                                            • Opcode Fuzzy Hash: 12435f73c79b8c93f44dd01208a040813a5f9e4d8c42e0d4135ebda64f38900d
                                            • Instruction Fuzzy Hash: B9D05B715003146BDA209794EC0DFD73A6CD704750F004251BA96D6091DAF89544CAD4
                                            APIs
                                            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 007582F5
                                            • TerminateProcess.KERNEL32(00000000), ref: 007582FC
                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 007584DD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$CurrentFreeLibraryTerminate
                                            • String ID:
                                            • API String ID: 146820519-0
                                            • Opcode ID: 9dcb393c81cad26bde218d199fec8fd7a5f1aa37a7cb9e424dc7548fbdad7946
                                            • Instruction ID: 492b68a35eb308cde17d29ef77a5c1290b98a34d2730457b71771603d70e04b6
                                            • Opcode Fuzzy Hash: 9dcb393c81cad26bde218d199fec8fd7a5f1aa37a7cb9e424dc7548fbdad7946
                                            • Instruction Fuzzy Hash: 75128971A08341CFC754DF28C484B6ABBE1BF88315F04895DE8999B392DB74ED49CB92
                                            APIs
                                              • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006D1BF4
                                              • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006D1BFC
                                              • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006D1C07
                                              • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006D1C12
                                              • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006D1C1A
                                              • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006D1C22
                                              • Part of subcall function 006D1B4A: RegisterWindowMessageW.USER32(00000004,?,006D12C4), ref: 006D1BA2
                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006D136A
                                            • OleInitialize.OLE32 ref: 006D1388
                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 007124AB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                            • String ID:
                                            • API String ID: 1986988660-0
                                            • Opcode ID: 0bcfe639f88879c6f69d3b224a70e40c5c3f1fd45fd58c7fb386079a14c7a82a
                                            • Instruction ID: 9f17bce51822351b02d89f9c5d9e550283cde2b9cd763b378b77b8fce3830cc7
                                            • Opcode Fuzzy Hash: 0bcfe639f88879c6f69d3b224a70e40c5c3f1fd45fd58c7fb386079a14c7a82a
                                            • Instruction Fuzzy Hash: 0771ADB8D053508EE388DF79A8556653AE1BBCB394B84C22ED41ACB361EB3C4450CF4D
                                            APIs
                                              • Part of subcall function 006D3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006D3A04
                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0073C259
                                            • KillTimer.USER32(?,00000001,?,?), ref: 0073C261
                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0073C270
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: IconNotifyShell_Timer$Kill
                                            • String ID:
                                            • API String ID: 3500052701-0
                                            • Opcode ID: 751bf723eebf0bf457625dbc6ab578cd781bc7db5acf792e18f86f6f29734ddc
                                            • Instruction ID: 2d3a69e6fbb343260bbdb5a6c42e552cdcad933bfd16d72c359573a18a8d570c
                                            • Opcode Fuzzy Hash: 751bf723eebf0bf457625dbc6ab578cd781bc7db5acf792e18f86f6f29734ddc
                                            • Instruction Fuzzy Hash: A831C3B0904354AFFB739F648855BE7BBECAB06304F00449ED2DAA7242C7785A84CB55
                                            APIs
                                            • CloseHandle.KERNELBASE(00000000,00000000,?,?,007085CC,?,00798CC8,0000000C), ref: 00708704
                                            • GetLastError.KERNEL32(?,007085CC,?,00798CC8,0000000C), ref: 0070870E
                                            • __dosmaperr.LIBCMT ref: 00708739
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CloseErrorHandleLast__dosmaperr
                                            • String ID:
                                            • API String ID: 2583163307-0
                                            • Opcode ID: 1f3ace2534ec1a84c40c088d125207bb0b5266ea70c8fa8b1b060441bec4b30f
                                            • Instruction ID: 692483a3ab54d14df2aed2cacb12682a3488c419d939deebaf568e5245d38394
                                            • Opcode Fuzzy Hash: 1f3ace2534ec1a84c40c088d125207bb0b5266ea70c8fa8b1b060441bec4b30f
                                            • Instruction Fuzzy Hash: 6E018232604220D6C6A06374984977F6BC54B92778F3A0319F8449B1D3DEAECC818696
                                            APIs
                                            • TranslateMessage.USER32(?), ref: 006DDB7B
                                            • DispatchMessageW.USER32(?), ref: 006DDB89
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006DDB9F
                                            • Sleep.KERNEL32(0000000A), ref: 006DDBB1
                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00721CC9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                            • String ID:
                                            • API String ID: 3288985973-0
                                            • Opcode ID: 282082dcb78b3febb0da3e76299e30f34f9d04663ef6d4ab30416c1c8bc9c933
                                            • Instruction ID: e8f998d3435fdae2a977c689e175954f9cd3aef6a04c5afed0323581852eeffe
                                            • Opcode Fuzzy Hash: 282082dcb78b3febb0da3e76299e30f34f9d04663ef6d4ab30416c1c8bc9c933
                                            • Instruction Fuzzy Hash: 13F082306453809BE730DB60DC49FEA73ADEF85310F508A1AE65AC31C0DB789488DB29
                                            APIs
                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00742CD4,?,?,?,00000004,00000001), ref: 00742FF2
                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00742CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00743006
                                            • CloseHandle.KERNEL32(00000000,?,00742CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0074300D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandleTime
                                            • String ID:
                                            • API String ID: 3397143404-0
                                            • Opcode ID: 4df2f300734c34f3ecb1ca41f86b93a254bf06f43d938499bfbbbc7d656619c2
                                            • Instruction ID: dd4e283d859ded6fdf0dd26c028b53e92d08271436bc54c910d74d90e3d2b355
                                            • Opcode Fuzzy Hash: 4df2f300734c34f3ecb1ca41f86b93a254bf06f43d938499bfbbbc7d656619c2
                                            • Instruction Fuzzy Hash: BCE0863228031477D6352756BC0DF9B3A5CD786B71F118210F7AA751D086E5250142AC
                                            APIs
                                            • __Init_thread_footer.LIBCMT ref: 006E17F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Init_thread_footer
                                            • String ID: CALL
                                            • API String ID: 1385522511-4196123274
                                            • Opcode ID: 43ceead6c0a6b4ef1ed67966cb27347229cfffe4f9c6426e46bfd34e576cde22
                                            • Instruction ID: f6da508861ad4953d508e1535e926df3e83e9875443ea41a12b65b0f5a42479b
                                            • Opcode Fuzzy Hash: 43ceead6c0a6b4ef1ed67966cb27347229cfffe4f9c6426e46bfd34e576cde22
                                            • Instruction Fuzzy Hash: AE22BEB0609381DFC714DF15C480A2ABBF2BF86314F24895EF4968B3A2D735E955DB82
                                            APIs
                                            • _wcslen.LIBCMT ref: 00746F6B
                                              • Part of subcall function 006D4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EFD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LibraryLoad_wcslen
                                            • String ID: >>>AUTOIT SCRIPT<<<
                                            • API String ID: 3312870042-2806939583
                                            • Opcode ID: 3193564aafc0f531dffbaaba41cd6d31eb69b78f4735b1418c9e32adb83b6404
                                            • Instruction ID: ba556efb17790d468b4679f8ad39c5c8b89a74873f183d39f8a95131d7afef9c
                                            • Opcode Fuzzy Hash: 3193564aafc0f531dffbaaba41cd6d31eb69b78f4735b1418c9e32adb83b6404
                                            • Instruction Fuzzy Hash: C9B181315082018FCB58EF24D49196EB7E6BF94310F04895EF896973A2EF34ED49CB96
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: __fread_nolock
                                            • String ID: EA06
                                            • API String ID: 2638373210-3962188686
                                            • Opcode ID: 2aaa211946ca004be0fbfac83bf44f52a32881ab08cbab255393847560222f4a
                                            • Instruction ID: 23abeb72c3a8032d126283f335a7ac7ed2691ffe952cb8db910ec02898426db4
                                            • Opcode Fuzzy Hash: 2aaa211946ca004be0fbfac83bf44f52a32881ab08cbab255393847560222f4a
                                            • Instruction Fuzzy Hash: 9F01B5729042587EDF58D7A8CC56EBEBBF8DB05305F00459EF252D21C2E5B9E7188B60
                                            APIs
                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D3908
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: IconNotifyShell_
                                            • String ID:
                                            • API String ID: 1144537725-0
                                            • Opcode ID: 2ed42280c6fd359de9776e50ef9d5ef8f3831538986ced566f515d77c849a879
                                            • Instruction ID: 79c42ccf176c1bb4e22486b7fba26b862c6b782aefb7d067f0c048c44b7b10dd
                                            • Opcode Fuzzy Hash: 2ed42280c6fd359de9776e50ef9d5ef8f3831538986ced566f515d77c849a879
                                            • Instruction Fuzzy Hash: 29317F709043119FE761DF24D885797BBE8FB49708F00092EF59A97380E7B5AA44CB56
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 012119A5
                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012119C9
                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012119EB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389830799.000000000120F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0120F000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_120f000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                            • String ID:
                                            • API String ID: 2438371351-0
                                            • Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                            • Instruction ID: 78d37f08ae3c515ca23131a7fcac319ec7bb80c7ea9a5876574a062233e48a5d
                                            • Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                            • Instruction Fuzzy Hash: C812DC24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A4E77A4F91CF5A
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                            • Instruction ID: 25dd7bffc6e890be414f4559e2f7636999aa0405ef473f3cd4b0355041b4ef49
                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                            • Instruction Fuzzy Hash: 8031F575A01249DBD718CF5AD4809A9FBA2FF49310B7486A5E809CB755E731EDC1CBC0
                                            APIs
                                              • Part of subcall function 006D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E9C
                                              • Part of subcall function 006D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006D4EAE
                                              • Part of subcall function 006D4E90: FreeLibrary.KERNEL32(00000000,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EC0
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EFD
                                              • Part of subcall function 006D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E62
                                              • Part of subcall function 006D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006D4E74
                                              • Part of subcall function 006D4E59: FreeLibrary.KERNEL32(00000000,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E87
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressFreeProc
                                            • String ID:
                                            • API String ID: 2632591731-0
                                            • Opcode ID: 3384d938227856286177b584c6346504aad8db13baf462737e5054dba906d9d4
                                            • Instruction ID: 3769fc95d8d3bfc9fa5135d166221eefd0471c2d829a7552919076a1cec7f099
                                            • Opcode Fuzzy Hash: 3384d938227856286177b584c6346504aad8db13baf462737e5054dba906d9d4
                                            • Instruction Fuzzy Hash: C511E332A10205ABCB14AF64DC06FAD77A6AF80710F10842FF542A62E1EE759E4597A8
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: __wsopen_s
                                            • String ID:
                                            • API String ID: 3347428461-0
                                            • Opcode ID: 8f691da837c2b9d5e3b2184535bbfddf57517aa4d00098b90e1ff1029d6efb54
                                            • Instruction ID: 9e74547d622ed3aa9fcfc4ab4b14abffb69a5afdee45ef2d717e5a564d98165f
                                            • Opcode Fuzzy Hash: 8f691da837c2b9d5e3b2184535bbfddf57517aa4d00098b90e1ff1029d6efb54
                                            • Instruction Fuzzy Hash: A911487190410AEFCB05DF58E9459DE7BF4EF48300F104159F808AB352DA30EA11CBA5
                                            APIs
                                              • Part of subcall function 00704C7D: RtlAllocateHeap.NTDLL(00000008,006D1129,00000000,?,00702E29,00000001,00000364,?,?,?,006FF2DE,00703863,007A1444,?,006EFDF5,?), ref: 00704CBE
                                            • _free.LIBCMT ref: 0070506C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AllocateHeap_free
                                            • String ID:
                                            • API String ID: 614378929-0
                                            • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                            • Instruction ID: 11cf934ffb77c74cd605304aa006e28a374b8a00ecd16baae9fbab7f5e5de82b
                                            • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                            • Instruction Fuzzy Hash: 13012672204704EBE3218E65D885A5BFBECFB89370F250B1DE184972C0EA34A805CAB4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                            • Instruction ID: 01e240f1e917896abc80fe4516ec04b53bd0c628eb0e8dd1ba13734fee0edde0
                                            • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                            • Instruction Fuzzy Hash: 52F0F932510A1CD6C6313E698C09BBA37DA9F52335F100719F721D62E2DF75A40286AA
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000008,006D1129,00000000,?,00702E29,00000001,00000364,?,?,?,006FF2DE,00703863,007A1444,?,006EFDF5,?), ref: 00704CBE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 2a1da503a197f9b7ce5f53b2590544daa5a8d2e2f6e172effb38e5e2b0a3a7dc
                                            • Instruction ID: 3199269f572017f9a9c47764da8140db7e3c88412d754547f9726722210c50b0
                                            • Opcode Fuzzy Hash: 2a1da503a197f9b7ce5f53b2590544daa5a8d2e2f6e172effb38e5e2b0a3a7dc
                                            • Instruction Fuzzy Hash: 43F0B471602228E7FB215F629C09B6B37C9AF817A0F148315FA1AA61C1CA78DC0046F4
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 07224ee06ba8bbdae8e40ca07ef8ee1516b08c0374c19c0fcf1cdc2d67d875c3
                                            • Instruction ID: 09fa9a2ec818a8685a1700816b2f390152e1071dd1a73c792986c850c77d881d
                                            • Opcode Fuzzy Hash: 07224ee06ba8bbdae8e40ca07ef8ee1516b08c0374c19c0fcf1cdc2d67d875c3
                                            • Instruction Fuzzy Hash: EEE0E531101228DAE7212A669C01BAB37CEAF827B0F0582A5FD05928C0CB59DE0182F4
                                            APIs
                                            • FreeLibrary.KERNEL32(?,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4F6D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FreeLibrary
                                            • String ID:
                                            • API String ID: 3664257935-0
                                            • Opcode ID: 6f379503e744c828ed5a7a4d3527db2dc167e4f66e722b20b2b062dffc90dd9a
                                            • Instruction ID: b1c3d25e88725391489fe39014f31fdd2428bd8c71544a5fa44e7e858eb0eb40
                                            • Opcode Fuzzy Hash: 6f379503e744c828ed5a7a4d3527db2dc167e4f66e722b20b2b062dffc90dd9a
                                            • Instruction Fuzzy Hash: 79F01571905752CFDB389F64D490862BBE6AF54329320C96FE2EA82721CB329C44DB50
                                            APIs
                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006D2DC4
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LongNamePath_wcslen
                                            • String ID:
                                            • API String ID: 541455249-0
                                            • Opcode ID: 563135c96dd1cd83bd4d3c0f82aa29a19eab532faf434f93fec962cb82b71e52
                                            • Instruction ID: 96d139bb0ee0fadfac485d8c487a3b054639c80b056c9e4d9a34d1f3b425df6e
                                            • Opcode Fuzzy Hash: 563135c96dd1cd83bd4d3c0f82aa29a19eab532faf434f93fec962cb82b71e52
                                            • Instruction Fuzzy Hash: 48E0CD72A042245BC711A258DC05FEA77EDDFC8790F044076FD09D7248D964AD808554
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: __fread_nolock
                                            • String ID:
                                            • API String ID: 2638373210-0
                                            • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                            • Instruction ID: 5af7a22c18f3a1d3a3e355b2a7601ce10ab7de3fbd559ca8b801ade10961ad6c
                                            • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                            • Instruction Fuzzy Hash: 9CE048B06097005FDF395E28A8517B677D59F49340F00045EF69B83653E6726856864D
                                            APIs
                                              • Part of subcall function 006D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D3908
                                              • Part of subcall function 006DD730: GetInputState.USER32 ref: 006DD807
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 006D2B6B
                                              • Part of subcall function 006D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006D314E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                            • String ID:
                                            • API String ID: 3667716007-0
                                            • Opcode ID: bee657f5b097ef589e7c36d49020a9b3ee7f8539c9a946633facba3088b42fe9
                                            • Instruction ID: edef477a271c63e4342d898df42b961692f0689ed6ecfbeef44e16163f68a6d8
                                            • Opcode Fuzzy Hash: bee657f5b097ef589e7c36d49020a9b3ee7f8539c9a946633facba3088b42fe9
                                            • Instruction Fuzzy Hash: 5DE08621F0425406CA48BB75A8525BDB75B9BD6355F40553FF14283362CE684945426B
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,00000000,?,00710704,?,?,00000000,?,00710704,00000000,0000000C), ref: 007103B7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 4e6aa5a6ef8f924cad1b38639b3a92f54c517a509182a61a8fd547d73fc8e583
                                            • Instruction ID: d477e03677c6218b0e6dc21e58d2b071fe16924a180e92311d64b03e088f60c5
                                            • Opcode Fuzzy Hash: 4e6aa5a6ef8f924cad1b38639b3a92f54c517a509182a61a8fd547d73fc8e583
                                            • Instruction Fuzzy Hash: 57D06C3204020DBBDF028F84DD06EDA3BAAFB48714F018000FE5856020C776E821AB94
                                            APIs
                                            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006D1CBC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: InfoParametersSystem
                                            • String ID:
                                            • API String ID: 3098949447-0
                                            • Opcode ID: 23e464ea5a9d661a48ab30560df067c658f9e8b9fc96428defa99192b8fb3478
                                            • Instruction ID: 437d8e80dc457f589fb94835ac0b8ea9e3086a13963fd3a3fd871fd89376ef4c
                                            • Opcode Fuzzy Hash: 23e464ea5a9d661a48ab30560df067c658f9e8b9fc96428defa99192b8fb3478
                                            • Instruction Fuzzy Hash: DFC09B352803049FF6154B84BC5AF107754B389B10F54C001F64A555E3C3E51430DA58
                                            APIs
                                            • Sleep.KERNELBASE(000001F4), ref: 01212189
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1389830799.000000000120F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0120F000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_120f000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                            • Instruction ID: 11f287db2c632cfdccb1b32596c807d7e3c25f4bdcaf106cc61c913e0ac93de5
                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                            • Instruction Fuzzy Hash: F8E0E67498010DDFDB00DFB4D54969D7BF4EF04301F100161FD01D2281D6309D508A72
                                            APIs
                                              • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0076961A
                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0076965B
                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0076969F
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007696C9
                                            • SendMessageW.USER32 ref: 007696F2
                                            • GetKeyState.USER32(00000011), ref: 0076978B
                                            • GetKeyState.USER32(00000009), ref: 00769798
                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007697AE
                                            • GetKeyState.USER32(00000010), ref: 007697B8
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007697E9
                                            • SendMessageW.USER32 ref: 00769810
                                            • SendMessageW.USER32(?,00001030,?,00767E95), ref: 00769918
                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0076992E
                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00769941
                                            • SetCapture.USER32(?), ref: 0076994A
                                            • ClientToScreen.USER32(?,?), ref: 007699AF
                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007699BC
                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007699D6
                                            • ReleaseCapture.USER32 ref: 007699E1
                                            • GetCursorPos.USER32(?), ref: 00769A19
                                            • ScreenToClient.USER32(?,?), ref: 00769A26
                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00769A80
                                            • SendMessageW.USER32 ref: 00769AAE
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00769AEB
                                            • SendMessageW.USER32 ref: 00769B1A
                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00769B3B
                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00769B4A
                                            • GetCursorPos.USER32(?), ref: 00769B68
                                            • ScreenToClient.USER32(?,?), ref: 00769B75
                                            • GetParent.USER32(?), ref: 00769B93
                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00769BFA
                                            • SendMessageW.USER32 ref: 00769C2B
                                            • ClientToScreen.USER32(?,?), ref: 00769C84
                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00769CB4
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00769CDE
                                            • SendMessageW.USER32 ref: 00769D01
                                            • ClientToScreen.USER32(?,?), ref: 00769D4E
                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00769D82
                                              • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00769E05
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                            • String ID: @GUI_DRAGID$@U=u$F$p#z
                                            • API String ID: 3429851547-3246730572
                                            • Opcode ID: e8027b4b60ec734027a5cac4b19118d96f840ad285ff4194ee94c370c636445e
                                            • Instruction ID: 7a275131c28007e500befe792f2272de77986f046660e3848057fefe466901d2
                                            • Opcode Fuzzy Hash: e8027b4b60ec734027a5cac4b19118d96f840ad285ff4194ee94c370c636445e
                                            • Instruction Fuzzy Hash: 44429C34204341EFDB25CF28CC44AAABBE9FF89310F14465DFA9A872A1D779E850CB55
                                            APIs
                                            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007648F3
                                            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00764908
                                            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00764927
                                            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0076494B
                                            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0076495C
                                            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0076497B
                                            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007649AE
                                            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007649D4
                                            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00764A0F
                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00764A56
                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00764A7E
                                            • IsMenu.USER32(?), ref: 00764A97
                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00764AF2
                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00764B20
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00764B94
                                            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00764BE3
                                            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00764C82
                                            • wsprintfW.USER32 ref: 00764CAE
                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00764CC9
                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00764CF1
                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00764D13
                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00764D33
                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00764D5A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                            • String ID: %d/%02d/%02d$@U=u
                                            • API String ID: 4054740463-2764005415
                                            • Opcode ID: bd458a8323bbd4783492e02ebcc4593ff79d23ba614bbc8544118438723e1bed
                                            • Instruction ID: ad4ffb4d250d748a69cbfe89c402f1c4327c732937e39f5e5be5d4a7b59b8de7
                                            • Opcode Fuzzy Hash: bd458a8323bbd4783492e02ebcc4593ff79d23ba614bbc8544118438723e1bed
                                            • Instruction Fuzzy Hash: CB12FD71600345ABEB258F24DC49FBE7BF8EF45310F148169F916EB2A1DBB89940CB54
                                            APIs
                                            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006EF998
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0072F474
                                            • IsIconic.USER32(00000000), ref: 0072F47D
                                            • ShowWindow.USER32(00000000,00000009), ref: 0072F48A
                                            • SetForegroundWindow.USER32(00000000), ref: 0072F494
                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0072F4AA
                                            • GetCurrentThreadId.KERNEL32 ref: 0072F4B1
                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0072F4BD
                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0072F4CE
                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0072F4D6
                                            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0072F4DE
                                            • SetForegroundWindow.USER32(00000000), ref: 0072F4E1
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F4F6
                                            • keybd_event.USER32(00000012,00000000), ref: 0072F501
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F50B
                                            • keybd_event.USER32(00000012,00000000), ref: 0072F510
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F519
                                            • keybd_event.USER32(00000012,00000000), ref: 0072F51E
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F528
                                            • keybd_event.USER32(00000012,00000000), ref: 0072F52D
                                            • SetForegroundWindow.USER32(00000000), ref: 0072F530
                                            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0072F557
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 4125248594-2988720461
                                            • Opcode ID: 17de642866ee97a1ccacce39f5d04e374aea8e4a31b135403823bef0630b0f23
                                            • Instruction ID: 926c1e45b0aee2b34e01e9e6b845a478888befba4b1de5e980da59b5c3e4829e
                                            • Opcode Fuzzy Hash: 17de642866ee97a1ccacce39f5d04e374aea8e4a31b135403823bef0630b0f23
                                            • Instruction Fuzzy Hash: F2319671A403187BEB216FB65C4AFBF7E7CEB44B50F204065F602E61D1C6F55D10AA64
                                            APIs
                                              • Part of subcall function 007316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0073170D
                                              • Part of subcall function 007316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0073173A
                                              • Part of subcall function 007316C3: GetLastError.KERNEL32 ref: 0073174A
                                            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00731286
                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007312A8
                                            • CloseHandle.KERNEL32(?), ref: 007312B9
                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007312D1
                                            • GetProcessWindowStation.USER32 ref: 007312EA
                                            • SetProcessWindowStation.USER32(00000000), ref: 007312F4
                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00731310
                                              • Part of subcall function 007310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007311FC), ref: 007310D4
                                              • Part of subcall function 007310BF: CloseHandle.KERNEL32(?,?,007311FC), ref: 007310E9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                            • String ID: $default$winsta0$Zy
                                            • API String ID: 22674027-3658735108
                                            • Opcode ID: 51092e6c26b932fcb81f3025abe637e1552b6bc0a0653419f0f1906effad2748
                                            • Instruction ID: 2286707e369433f30c1929e76b8c96cb9e6e2cba471c3f6a0c462a38e4463468
                                            • Opcode Fuzzy Hash: 51092e6c26b932fcb81f3025abe637e1552b6bc0a0653419f0f1906effad2748
                                            • Instruction Fuzzy Hash: AB81AC71900349AFEF219FA4DC49FFE7BB9EF04700F188129F911A61A2CB798944CB65
                                            APIs
                                              • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00731114
                                              • Part of subcall function 007310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731120
                                              • Part of subcall function 007310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 0073112F
                                              • Part of subcall function 007310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731136
                                              • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073114D
                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00730BCC
                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00730C00
                                            • GetLengthSid.ADVAPI32(?), ref: 00730C17
                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00730C51
                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00730C6D
                                            • GetLengthSid.ADVAPI32(?), ref: 00730C84
                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00730C8C
                                            • HeapAlloc.KERNEL32(00000000), ref: 00730C93
                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00730CB4
                                            • CopySid.ADVAPI32(00000000), ref: 00730CBB
                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00730CEA
                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00730D0C
                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00730D1E
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730D45
                                            • HeapFree.KERNEL32(00000000), ref: 00730D4C
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730D55
                                            • HeapFree.KERNEL32(00000000), ref: 00730D5C
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730D65
                                            • HeapFree.KERNEL32(00000000), ref: 00730D6C
                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00730D78
                                            • HeapFree.KERNEL32(00000000), ref: 00730D7F
                                              • Part of subcall function 00731193: GetProcessHeap.KERNEL32(00000008,00730BB1,?,00000000,?,00730BB1,?), ref: 007311A1
                                              • Part of subcall function 00731193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00730BB1,?), ref: 007311A8
                                              • Part of subcall function 00731193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00730BB1,?), ref: 007311B7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                            • String ID:
                                            • API String ID: 4175595110-0
                                            • Opcode ID: d0da6c846c2da9ede811e80dd3f2df1d32031d6f1a5231efb55b3de6e90706bc
                                            • Instruction ID: 2e4cc43748dea0ee93f3fc4515fb786a8a89af4e5da4d4779ff994940bc917d0
                                            • Opcode Fuzzy Hash: d0da6c846c2da9ede811e80dd3f2df1d32031d6f1a5231efb55b3de6e90706bc
                                            • Instruction Fuzzy Hash: 13717D72A0020AABEF11DFA4DC45FEEBBB8BF04300F048555E955A7192D7B9A905CBB0
                                            APIs
                                            • OpenClipboard.USER32(0076CC08), ref: 0074EB29
                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0074EB37
                                            • GetClipboardData.USER32(0000000D), ref: 0074EB43
                                            • CloseClipboard.USER32 ref: 0074EB4F
                                            • GlobalLock.KERNEL32(00000000), ref: 0074EB87
                                            • CloseClipboard.USER32 ref: 0074EB91
                                            • GlobalUnlock.KERNEL32(00000000), ref: 0074EBBC
                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0074EBC9
                                            • GetClipboardData.USER32(00000001), ref: 0074EBD1
                                            • GlobalLock.KERNEL32(00000000), ref: 0074EBE2
                                            • GlobalUnlock.KERNEL32(00000000), ref: 0074EC22
                                            • IsClipboardFormatAvailable.USER32(0000000F), ref: 0074EC38
                                            • GetClipboardData.USER32(0000000F), ref: 0074EC44
                                            • GlobalLock.KERNEL32(00000000), ref: 0074EC55
                                            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0074EC77
                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0074EC94
                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0074ECD2
                                            • GlobalUnlock.KERNEL32(00000000), ref: 0074ECF3
                                            • CountClipboardFormats.USER32 ref: 0074ED14
                                            • CloseClipboard.USER32 ref: 0074ED59
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                            • String ID:
                                            • API String ID: 420908878-0
                                            • Opcode ID: f9ad4836b8881398c805ec99b10c4ec892ae9ad04fb1793d89e9b3b448b4446d
                                            • Instruction ID: 26bca0bc1d2f79236c8b5b7e59c8c7fe617b200fc349f9ecedf46cbd8b36394c
                                            • Opcode Fuzzy Hash: f9ad4836b8881398c805ec99b10c4ec892ae9ad04fb1793d89e9b3b448b4446d
                                            • Instruction Fuzzy Hash: E661AC742043019FD301EF24D898F3A77A5FF84724F08855EF896872A2CB79E905CBA6
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 007469BE
                                            • FindClose.KERNEL32(00000000), ref: 00746A12
                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00746A4E
                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00746A75
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00746AB2
                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00746ADF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                            • API String ID: 3830820486-3289030164
                                            • Opcode ID: ce5ab46fd1609299e68eb528a3760ec7fe76e7fba490e43b7a37ed0cebaf3dc8
                                            • Instruction ID: fe9c467129c160baf71d1a7cbb9fe03151f040d5701f3ae4040243f957447cb9
                                            • Opcode Fuzzy Hash: ce5ab46fd1609299e68eb528a3760ec7fe76e7fba490e43b7a37ed0cebaf3dc8
                                            • Instruction Fuzzy Hash: 42D173B1908340AFC754EBA4D891EABB7EDBF88704F44491EF585C7291EB74DA04CB62
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00749663
                                            • GetFileAttributesW.KERNEL32(?), ref: 007496A1
                                            • SetFileAttributesW.KERNEL32(?,?), ref: 007496BB
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 007496D3
                                            • FindClose.KERNEL32(00000000), ref: 007496DE
                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 007496FA
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0074974A
                                            • SetCurrentDirectoryW.KERNEL32(00796B7C), ref: 00749768
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00749772
                                            • FindClose.KERNEL32(00000000), ref: 0074977F
                                            • FindClose.KERNEL32(00000000), ref: 0074978F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                            • String ID: *.*
                                            • API String ID: 1409584000-438819550
                                            • Opcode ID: 6a189900d562fd0f3cfdd0de180322517b7f1be12165ae9442f54888fe8bf475
                                            • Instruction ID: 9dd12a5f6265c9a0a3a34b12d2d3c94abe420f8161b55ac953df22588976fcbd
                                            • Opcode Fuzzy Hash: 6a189900d562fd0f3cfdd0de180322517b7f1be12165ae9442f54888fe8bf475
                                            • Instruction Fuzzy Hash: B731F9725402196EDF11EFB4DC09AEF77ACAF09320F148156FA56E2190EB78DE448B14
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 007497BE
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00749819
                                            • FindClose.KERNEL32(00000000), ref: 00749824
                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00749840
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00749890
                                            • SetCurrentDirectoryW.KERNEL32(00796B7C), ref: 007498AE
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 007498B8
                                            • FindClose.KERNEL32(00000000), ref: 007498C5
                                            • FindClose.KERNEL32(00000000), ref: 007498D5
                                              • Part of subcall function 0073DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0073DB00
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                            • String ID: *.*
                                            • API String ID: 2640511053-438819550
                                            • Opcode ID: c780874a21ad45ac86f7947febb4d53a835f8b8b8cef2efe8260e8610610cd08
                                            • Instruction ID: c049285ddb61d30c35fcd9dfff684781a7d875f4b443f07a49a77d302ff12b77
                                            • Opcode Fuzzy Hash: c780874a21ad45ac86f7947febb4d53a835f8b8b8cef2efe8260e8610610cd08
                                            • Instruction Fuzzy Hash: C931E4715003196EEF11EFB8EC49AEF77ACAF06320F148256FA51A2191DB78DE44CB24
                                            APIs
                                            • GetLocalTime.KERNEL32(?), ref: 00748257
                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00748267
                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00748273
                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00748310
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00748324
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00748356
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0074838C
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00748395
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CurrentDirectoryTime$File$Local$System
                                            • String ID: *.*
                                            • API String ID: 1464919966-438819550
                                            • Opcode ID: 0c3c1c8d972425a22753478f90c2e5629657babe5ecc5d1133feb463515690b3
                                            • Instruction ID: b7adcd07df4f8150e2f4655e967cec24d17107c75c5b6f2a12519b71cc609257
                                            • Opcode Fuzzy Hash: 0c3c1c8d972425a22753478f90c2e5629657babe5ecc5d1133feb463515690b3
                                            • Instruction Fuzzy Hash: 5A616A725043099FCB50EF64D8449AEB3E9FF89310F04891EF989C7251EB39E945CB96
                                            APIs
                                              • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                                              • Part of subcall function 0073E199: GetFileAttributesW.KERNEL32(?,0073CF95), ref: 0073E19A
                                            • FindFirstFileW.KERNEL32(?,?), ref: 0073D122
                                            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0073D1DD
                                            • MoveFileW.KERNEL32(?,?), ref: 0073D1F0
                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0073D20D
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0073D237
                                              • Part of subcall function 0073D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0073D21C,?,?), ref: 0073D2B2
                                            • FindClose.KERNEL32(00000000,?,?,?), ref: 0073D253
                                            • FindClose.KERNEL32(00000000), ref: 0073D264
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                            • String ID: \*.*
                                            • API String ID: 1946585618-1173974218
                                            • Opcode ID: 6af4909f8d16a995ee0f86de3c465348404e704351793e52b187323de75fd748
                                            • Instruction ID: bce085d378b6d754e39ed4505b7288ef27929317601873dc31b4c67e6b6eb938
                                            • Opcode Fuzzy Hash: 6af4909f8d16a995ee0f86de3c465348404e704351793e52b187323de75fd748
                                            • Instruction Fuzzy Hash: 75618D31D0110D9FDF15EBE0EA929EEB776AF15300F24416AE40277292EB345F09DB65
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                            • String ID:
                                            • API String ID: 1737998785-0
                                            • Opcode ID: d7bc9851155d743fe890564f93417b07b91641f4f64ea739b960c5818ef115ae
                                            • Instruction ID: 76fd42fe24232da41f34ba76e19fb0f16b4ea39360d2add1a9b01192d92906c7
                                            • Opcode Fuzzy Hash: d7bc9851155d743fe890564f93417b07b91641f4f64ea739b960c5818ef115ae
                                            • Instruction Fuzzy Hash: 1C417935604611AFE721DF15D888F2ABBA5FF44328F14C099E8568B662C779EC42CB98
                                            APIs
                                              • Part of subcall function 007316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0073170D
                                              • Part of subcall function 007316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0073173A
                                              • Part of subcall function 007316C3: GetLastError.KERNEL32 ref: 0073174A
                                            • ExitWindowsEx.USER32(?,00000000), ref: 0073E932
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                            • String ID: $ $@$SeShutdownPrivilege
                                            • API String ID: 2234035333-3163812486
                                            • Opcode ID: 29605785c4c4f674a4c988537f27825083788cba4fe7177f13e150eb66884608
                                            • Instruction ID: 7644832773076d6076f8b54017c6d6cdc5ef9e16c7ca41c84611a131e81c1e17
                                            • Opcode Fuzzy Hash: 29605785c4c4f674a4c988537f27825083788cba4fe7177f13e150eb66884608
                                            • Instruction Fuzzy Hash: 4B01D672610315EBFB5466B49C8ABBB725CA714750F154522FC03E21D3D5AD6C408395
                                            APIs
                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00751276
                                            • WSAGetLastError.WSOCK32 ref: 00751283
                                            • bind.WSOCK32(00000000,?,00000010), ref: 007512BA
                                            • WSAGetLastError.WSOCK32 ref: 007512C5
                                            • closesocket.WSOCK32(00000000), ref: 007512F4
                                            • listen.WSOCK32(00000000,00000005), ref: 00751303
                                            • WSAGetLastError.WSOCK32 ref: 0075130D
                                            • closesocket.WSOCK32(00000000), ref: 0075133C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorLast$closesocket$bindlistensocket
                                            • String ID:
                                            • API String ID: 540024437-0
                                            • Opcode ID: e11f8cacd6958e878d31d180a7fc7d56a5fac0d13bd429cabf37b67a729695c9
                                            • Instruction ID: 4a023fd7b94370d9522c3e88ee3e41cf9f48f41cd75a973526b27d2c490e090f
                                            • Opcode Fuzzy Hash: e11f8cacd6958e878d31d180a7fc7d56a5fac0d13bd429cabf37b67a729695c9
                                            • Instruction Fuzzy Hash: B6419331A002019FD710DF24C498B69BBE6BF86319F588199D8568F396C7B9EC85CBE1
                                            APIs
                                            • _free.LIBCMT ref: 0070B9D4
                                            • _free.LIBCMT ref: 0070B9F8
                                            • _free.LIBCMT ref: 0070BB7F
                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00773700), ref: 0070BB91
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,007A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0070BC09
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,007A1270,000000FF,?,0000003F,00000000,?), ref: 0070BC36
                                            • _free.LIBCMT ref: 0070BD4B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                            • String ID:
                                            • API String ID: 314583886-0
                                            • Opcode ID: ff62f05893bd03654710251118826394acccf7fcb898ef9175009f9c40334fa1
                                            • Instruction ID: 8b73b1cf3add4b2e3befb79fdd0ba1a848c2488a021a9335b104180babde4212
                                            • Opcode Fuzzy Hash: ff62f05893bd03654710251118826394acccf7fcb898ef9175009f9c40334fa1
                                            • Instruction Fuzzy Hash: A6C118B1A04205DFDB20DF688C45BAABBE9EF82310F64839AE594D72D1D7389F418754
                                            APIs
                                              • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                                              • Part of subcall function 0073E199: GetFileAttributesW.KERNEL32(?,0073CF95), ref: 0073E19A
                                            • FindFirstFileW.KERNEL32(?,?), ref: 0073D420
                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0073D470
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0073D481
                                            • FindClose.KERNEL32(00000000), ref: 0073D498
                                            • FindClose.KERNEL32(00000000), ref: 0073D4A1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                            • String ID: \*.*
                                            • API String ID: 2649000838-1173974218
                                            • Opcode ID: 3c241509eb5a98379c3fdb5f8730ef66ba84247ed48f4f2fadf005ab0fdac93d
                                            • Instruction ID: eac0b61cea7083ceae01ddbda10383e577232688b13f8a8e79fb91f9164828a7
                                            • Opcode Fuzzy Hash: 3c241509eb5a98379c3fdb5f8730ef66ba84247ed48f4f2fadf005ab0fdac93d
                                            • Instruction Fuzzy Hash: 793190314083819FD315EF60D8918AFB7A9BE91300F444A1EF8D152292EB34AE09C7A7
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: __floor_pentium4
                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                            • API String ID: 4168288129-2761157908
                                            • Opcode ID: 4e7c5b1c64c152118a28c5fc1936f06ccb31f59c6b77d74653aaee0572b1885b
                                            • Instruction ID: fc4c059e3dd3992df76e8b32b6770aea6016ab072556c73e08d9e955c1b7d637
                                            • Opcode Fuzzy Hash: 4e7c5b1c64c152118a28c5fc1936f06ccb31f59c6b77d74653aaee0572b1885b
                                            • Instruction Fuzzy Hash: C1C22971E04628CFDB65CE289D407EAB7F5EB44314F1446EAD84DE7281E778AE818F40
                                            APIs
                                            • _wcslen.LIBCMT ref: 007464DC
                                            • CoInitialize.OLE32(00000000), ref: 00746639
                                            • CoCreateInstance.OLE32(0076FCF8,00000000,00000001,0076FB68,?), ref: 00746650
                                            • CoUninitialize.OLE32 ref: 007468D4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                            • String ID: .lnk
                                            • API String ID: 886957087-24824748
                                            • Opcode ID: 23728add326f4e8799e038a8273b90ec5e76e3cf346854aa68f885b76ec5ca21
                                            • Instruction ID: cb9ef2f34f99fcac94052ca47b1de849c821af0f6a8f52df6ca59be83f865122
                                            • Opcode Fuzzy Hash: 23728add326f4e8799e038a8273b90ec5e76e3cf346854aa68f885b76ec5ca21
                                            • Instruction Fuzzy Hash: 80D12871908301AFC354EF24C88196BB7E9FF95704F40496DF5958B2A1EB71ED05CBA2
                                            APIs
                                            • GetForegroundWindow.USER32(?,?,00000000), ref: 007522E8
                                              • Part of subcall function 0074E4EC: GetWindowRect.USER32(?,?), ref: 0074E504
                                            • GetDesktopWindow.USER32 ref: 00752312
                                            • GetWindowRect.USER32(00000000), ref: 00752319
                                            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00752355
                                            • GetCursorPos.USER32(?), ref: 00752381
                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007523DF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                            • String ID:
                                            • API String ID: 2387181109-0
                                            • Opcode ID: 765aaeedce4ff849935b1ed7c3d945a0398f145955c4d746b5e8d2adc2ed0767
                                            • Instruction ID: ada55b00d8781adb8c5756bfe7e74830e864a914e828ce3784f89565fd000adf
                                            • Opcode Fuzzy Hash: 765aaeedce4ff849935b1ed7c3d945a0398f145955c4d746b5e8d2adc2ed0767
                                            • Instruction Fuzzy Hash: 1F310072104345AFD720DF54CC48BABBBA9FF85310F000919F98697182DBB8EA09CB96
                                            APIs
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00749B78
                                            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00749C8B
                                              • Part of subcall function 00743874: GetInputState.USER32 ref: 007438CB
                                              • Part of subcall function 00743874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00743966
                                            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00749BA8
                                            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00749C75
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                            • String ID: *.*
                                            • API String ID: 1972594611-438819550
                                            • Opcode ID: 8dd11add7149dc5ab0d17a56fc657661ed4d19806dc38841bde0c914caba73a3
                                            • Instruction ID: 182ebe23035464f94f5a1a4284ce08357c866eb50e0760f73a40d2cca932f5be
                                            • Opcode Fuzzy Hash: 8dd11add7149dc5ab0d17a56fc657661ed4d19806dc38841bde0c914caba73a3
                                            • Instruction Fuzzy Hash: 6C419071D0020A9FCF55DFB4C989AEEBBB9EF05300F24415AE905A2291EB349E84CF64
                                            APIs
                                              • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 006E9A4E
                                            • GetSysColor.USER32(0000000F), ref: 006E9B23
                                            • SetBkColor.GDI32(?,00000000), ref: 006E9B36
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Color$LongProcWindow
                                            • String ID:
                                            • API String ID: 3131106179-0
                                            • Opcode ID: 71d67bfb49a92f646ffba73c8a7da5ac1453249e6257f14826549e441ab62c2c
                                            • Instruction ID: 28c86317299bfd33e0a8eb43354ab93956642fb2f3a4ce3490b17ac741a9cfeb
                                            • Opcode Fuzzy Hash: 71d67bfb49a92f646ffba73c8a7da5ac1453249e6257f14826549e441ab62c2c
                                            • Instruction Fuzzy Hash: 08A1397010A7A0FEE72D9A2E9D59DBB365FDF82304F144229F902C6791CA2D9D02C676
                                            APIs
                                              • Part of subcall function 0075304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0075307A
                                              • Part of subcall function 0075304E: _wcslen.LIBCMT ref: 0075309B
                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0075185D
                                            • WSAGetLastError.WSOCK32 ref: 00751884
                                            • bind.WSOCK32(00000000,?,00000010), ref: 007518DB
                                            • WSAGetLastError.WSOCK32 ref: 007518E6
                                            • closesocket.WSOCK32(00000000), ref: 00751915
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                            • String ID:
                                            • API String ID: 1601658205-0
                                            • Opcode ID: 9a6f4fb0ee30d4bc216c5916cd5c2d1326cffc5da6c57927f665e5180eaf2df7
                                            • Instruction ID: c407075c5f2950f4b479861e2bb77e6603acefab2388f9c2327bb913dbe9ed29
                                            • Opcode Fuzzy Hash: 9a6f4fb0ee30d4bc216c5916cd5c2d1326cffc5da6c57927f665e5180eaf2df7
                                            • Instruction Fuzzy Hash: 5551D471A002009FE720AF24C886F6A77E69B44718F54805DF9469F3C3C7B5AD41CBE5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                            • API String ID: 0-1546025612
                                            • Opcode ID: ba38798e410491dae5b845a6c3c9afdf7cdbd403ea7af68e1c94db77ac390410
                                            • Instruction ID: efcc6938f8e35a1f35dbea4f23efc3e309a218667f0b2e7dc190ecb63132d0b8
                                            • Opcode Fuzzy Hash: ba38798e410491dae5b845a6c3c9afdf7cdbd403ea7af68e1c94db77ac390410
                                            • Instruction Fuzzy Hash: 1CA23C71E0061ACFDF24CF58C8447EDB7B2BB54314F2481AAE855A7385EB789D81CB90
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007382AA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: lstrlen
                                            • String ID: ($tby$|
                                            • API String ID: 1659193697-2466584908
                                            • Opcode ID: 9f2fec87e1e32b163d93f36a5aec0dee710e337d7d0f02afecbe49fdec29bc6f
                                            • Instruction ID: ba284e5c921038b52b2eb15278b4e4f79bf28b77b3e0acc91572e785a4e4fe4e
                                            • Opcode Fuzzy Hash: 9f2fec87e1e32b163d93f36a5aec0dee710e337d7d0f02afecbe49fdec29bc6f
                                            • Instruction Fuzzy Hash: B2323574A00705DFDB68CF59C081A6AB7F1FF48710B15856EE49ADB3A2EB74E941CB40
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0075A6AC
                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0075A6BA
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • Process32NextW.KERNEL32(00000000,?), ref: 0075A79C
                                            • CloseHandle.KERNEL32(00000000), ref: 0075A7AB
                                              • Part of subcall function 006ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00713303,?), ref: 006ECE8A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                            • String ID:
                                            • API String ID: 1991900642-0
                                            • Opcode ID: 18f62724fb2bf7f01e622fdea1e50810ad730d661b6e5e6c2b14cb1493b3f9f4
                                            • Instruction ID: 7846b0c523e5dbecaee7f45f4c12ba40fca8bb249599fd89b8535eaecb573475
                                            • Opcode Fuzzy Hash: 18f62724fb2bf7f01e622fdea1e50810ad730d661b6e5e6c2b14cb1493b3f9f4
                                            • Instruction Fuzzy Hash: 28518F71908300AFD750DF24C885A6BBBE9FF89754F00892EF98597351EB74D904CB96
                                            APIs
                                            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0073AAAC
                                            • SetKeyboardState.USER32(00000080), ref: 0073AAC8
                                            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0073AB36
                                            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0073AB88
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: KeyboardState$InputMessagePostSend
                                            • String ID:
                                            • API String ID: 432972143-0
                                            • Opcode ID: 4bd650200eb1c085d6d9ef9c9f27ca8063e517b6d0ee1f2c7e1094429be5ee9a
                                            • Instruction ID: 129404737919c7410d2705fcaff36fe9de98f035896fdfe152072b2e7bf3ceb6
                                            • Opcode Fuzzy Hash: 4bd650200eb1c085d6d9ef9c9f27ca8063e517b6d0ee1f2c7e1094429be5ee9a
                                            • Instruction Fuzzy Hash: E131E7B1A40248BEFF35CB65CC06BFABBAAAB44310F04821AE5C1565D2D37D8981C767
                                            APIs
                                            • InternetReadFile.WININET(?,?,00000400,?), ref: 0074CE89
                                            • GetLastError.KERNEL32(?,00000000), ref: 0074CEEA
                                            • SetEvent.KERNEL32(?,?,00000000), ref: 0074CEFE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorEventFileInternetLastRead
                                            • String ID:
                                            • API String ID: 234945975-0
                                            • Opcode ID: 8053e682e09f4f1852eccdd910eac06161deda88f9930b30573beb3cfc24d70c
                                            • Instruction ID: 5e83847490e8a6298e77c76b65a89ae602836447611fa2be20e10eb850a88be2
                                            • Opcode Fuzzy Hash: 8053e682e09f4f1852eccdd910eac06161deda88f9930b30573beb3cfc24d70c
                                            • Instruction Fuzzy Hash: 8021CFB2501305DFEB62DFA5C948BA77BFCEB00314F10842EE646D2151E778EE088B54
                                            APIs
                                            • IsDebuggerPresent.KERNEL32 ref: 0070271A
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00702724
                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00702731
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                            • String ID:
                                            • API String ID: 3906539128-0
                                            • Opcode ID: 10c37ab6fa80ee9a3f2465fad78fcb503204293edf5eb32fb2fad4c58867823e
                                            • Instruction ID: 6de7ad7c03e04120af60d7a20141a5c827c0e0574be8d558ef923d8ef415efe7
                                            • Opcode Fuzzy Hash: 10c37ab6fa80ee9a3f2465fad78fcb503204293edf5eb32fb2fad4c58867823e
                                            • Instruction Fuzzy Hash: 9631C47591121C9BCB61DF68DC88798BBB8BF08310F5042EAE90CA6261E7749F818F49
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 007451DA
                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00745238
                                            • SetErrorMode.KERNEL32(00000000), ref: 007452A1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorMode$DiskFreeSpace
                                            • String ID:
                                            • API String ID: 1682464887-0
                                            • Opcode ID: 1368a1a95e7841840ae6ee3b64f494694afe8f662db0178cf1cb354328d4a80a
                                            • Instruction ID: cb428331a942e173e58d8081716f406feec75a5c1e3b666248eb3a6dbb6df7db
                                            • Opcode Fuzzy Hash: 1368a1a95e7841840ae6ee3b64f494694afe8f662db0178cf1cb354328d4a80a
                                            • Instruction Fuzzy Hash: F3318F75A00608DFDB00DF94D884EADBBB5FF49314F08809AE805AB362DB75EC46CB91
                                            APIs
                                              • Part of subcall function 006EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006F0668
                                              • Part of subcall function 006EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006F0685
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0073170D
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0073173A
                                            • GetLastError.KERNEL32 ref: 0073174A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                            • String ID:
                                            • API String ID: 577356006-0
                                            • Opcode ID: b3972c858636e6ab0fa7aff2e3fdc459fc30a003364eef0cd6d1f50bdbc1210d
                                            • Instruction ID: 058585ce52833b0e7ae5efef695a214eb2aea3def8902183c3392c42866e24c2
                                            • Opcode Fuzzy Hash: b3972c858636e6ab0fa7aff2e3fdc459fc30a003364eef0cd6d1f50bdbc1210d
                                            • Instruction Fuzzy Hash: 0011C1B2404309AFE718AF54DC86D6ABBBDEF04754B24852EE05657242EB75BC418B24
                                            APIs
                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0073D608
                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0073D645
                                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0073D650
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CloseControlCreateDeviceFileHandle
                                            • String ID:
                                            • API String ID: 33631002-0
                                            • Opcode ID: 92cd15ec0e4607a55dfc0f5c3501bdad32f40509ec84ba31778af0b7981eb8b4
                                            • Instruction ID: 4b94de717043dfe8f0183ecbf240466d265ef23043a4e2c3a595e0f54d22b1a6
                                            • Opcode Fuzzy Hash: 92cd15ec0e4607a55dfc0f5c3501bdad32f40509ec84ba31778af0b7981eb8b4
                                            • Instruction Fuzzy Hash: 4C117C71E01228BFEB208F95EC45FAFBBBCEB45B50F108111F914E7290C2B44A058BA1
                                            APIs
                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0073168C
                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007316A1
                                            • FreeSid.ADVAPI32(?), ref: 007316B1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                            • String ID:
                                            • API String ID: 3429775523-0
                                            • Opcode ID: fe61f2be3367b20cc2006f2da4fc4e16b2eacfb869aaa6c095d1f1dea4584750
                                            • Instruction ID: ce25ff58142e55fb1f2cacf6199394dbe537d454f2c16ef468f29fa9f995e1fd
                                            • Opcode Fuzzy Hash: fe61f2be3367b20cc2006f2da4fc4e16b2eacfb869aaa6c095d1f1dea4584750
                                            • Instruction Fuzzy Hash: 29F0F471950309FBEB00DFE49D89AAEBBBCEB08604F508565E601E2181E778AA448A54
                                            APIs
                                            • GetCurrentProcess.KERNEL32(007028E9,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002,00000000,?,007028E9), ref: 006F4D09
                                            • TerminateProcess.KERNEL32(00000000,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002,00000000,?,007028E9), ref: 006F4D10
                                            • ExitProcess.KERNEL32 ref: 006F4D22
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$CurrentExitTerminate
                                            • String ID:
                                            • API String ID: 1703294689-0
                                            • Opcode ID: 1718cc2e888df65891bc45fcf5e540061adf48f7a6a3b0a8cc9986c471beacb1
                                            • Instruction ID: 53034d1fc41a8cb638c4b4dab46f84ac2bb22d4284ca608a6440f235a070d544
                                            • Opcode Fuzzy Hash: 1718cc2e888df65891bc45fcf5e540061adf48f7a6a3b0a8cc9986c471beacb1
                                            • Instruction Fuzzy Hash: A8E0B63100024CABDF12AF55DD09AAA3F6AEF86781B108018FD569A722DB79DD42CA84
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: /
                                            • API String ID: 0-2043925204
                                            • Opcode ID: 3b70dd2df338deecaea4cae5e0a9675701409c17ec331c537c5c7a859d3da43e
                                            • Instruction ID: e4962ac9915e105f42fb9ed5e245cadedddf7245ddaaffb5c048f85a8d2ff4cb
                                            • Opcode Fuzzy Hash: 3b70dd2df338deecaea4cae5e0a9675701409c17ec331c537c5c7a859d3da43e
                                            • Instruction Fuzzy Hash: 15411372900219EBCB209FB9DC89EBBB7B8EB84314F1083A9F905D71C0E6749D818B50
                                            APIs
                                            • GetUserNameW.ADVAPI32(?,?), ref: 0072D28C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: NameUser
                                            • String ID: X64
                                            • API String ID: 2645101109-893830106
                                            • Opcode ID: b8cfc341ca2d6c387d59d4fa769c0111609583b75a211ffec9d90fcdf6681f46
                                            • Instruction ID: 1119d53399aea9467d0e0056da3568c405e23970d8a8cd78d314b90c0294ea57
                                            • Opcode Fuzzy Hash: b8cfc341ca2d6c387d59d4fa769c0111609583b75a211ffec9d90fcdf6681f46
                                            • Instruction Fuzzy Hash: 8BD0C9B480122DEACB90CB90EC88DE9B3BCBB04305F104151F106A2000D77495498F20
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                            • Instruction ID: ba0365c1a72ca61a4afb93015a2935d88e6a427ea186bc285cec63f6549ed68a
                                            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                            • Instruction Fuzzy Hash: 73020B71E0111D9BDF14CFA9C9806EDFBB2EF48324F254169D919EB384D731A941CB94
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Variable is not of type 'Object'.$p#z
                                            • API String ID: 0-3775082255
                                            • Opcode ID: c51b3ba3e65c5e96f5d91a15267fe8a92129cdd6abfe6ba7ffc4acf5b93fc963
                                            • Instruction ID: c77ace521d97e9d5065aeab2a68c06def175dfd7d0993c73d22dcdbcd5200f6e
                                            • Opcode Fuzzy Hash: c51b3ba3e65c5e96f5d91a15267fe8a92129cdd6abfe6ba7ffc4acf5b93fc963
                                            • Instruction Fuzzy Hash: 44327B70D00219DBCF14DF94D895AEDB7B6FF05314F24805AE806AB392D779AE46CBA0
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00746918
                                            • FindClose.KERNEL32(00000000), ref: 00746961
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID:
                                            • API String ID: 2295610775-0
                                            • Opcode ID: b0fbcef897da9bea61239b0c047e1023915fba8999aefa7a7093640c398d35d2
                                            • Instruction ID: 2b3f235004075b184e7897b598c60a9ae3230abdf1cd7d8b6e16b88bbccaa9a2
                                            • Opcode Fuzzy Hash: b0fbcef897da9bea61239b0c047e1023915fba8999aefa7a7093640c398d35d2
                                            • Instruction Fuzzy Hash: DC1190716042019FD710DF29D484A26BBE5FF85328F14C69EE8698F3A2CB74EC05CB91
                                            APIs
                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00754891,?,?,00000035,?), ref: 007437E4
                                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00754891,?,?,00000035,?), ref: 007437F4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorFormatLastMessage
                                            • String ID:
                                            • API String ID: 3479602957-0
                                            • Opcode ID: eeeb3748f0d9b9cd206abbd29b1514b920e9d5f0827959c6d410a24b046f5aba
                                            • Instruction ID: 451ca3856260a129efc65e0ee2f8adc78b029877127fe934cec231ddd7e37ac2
                                            • Opcode Fuzzy Hash: eeeb3748f0d9b9cd206abbd29b1514b920e9d5f0827959c6d410a24b046f5aba
                                            • Instruction Fuzzy Hash: 7CF0E5B06053286AE76117668C8DFEB3AAEEFC4761F004265F509D22C1DAB49944C6B0
                                            APIs
                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0073B25D
                                            • keybd_event.USER32(?,753DC0D0,?,00000000), ref: 0073B270
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: InputSendkeybd_event
                                            • String ID:
                                            • API String ID: 3536248340-0
                                            • Opcode ID: 0b9322a0ada63b926752078078164d882f61f2b2d9f033001b7b2244826bcd80
                                            • Instruction ID: 6df41ec45da500ad7f6b0bc06ff971cdef3be87976634d45c7f951161a561928
                                            • Opcode Fuzzy Hash: 0b9322a0ada63b926752078078164d882f61f2b2d9f033001b7b2244826bcd80
                                            • Instruction Fuzzy Hash: F7F0127180424DABDB059FA1C8057BE7BB4FF04305F148009F955A5192C77D86119F94
                                            APIs
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007311FC), ref: 007310D4
                                            • CloseHandle.KERNEL32(?,?,007311FC), ref: 007310E9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AdjustCloseHandlePrivilegesToken
                                            • String ID:
                                            • API String ID: 81990902-0
                                            • Opcode ID: ee50b9dda5d22b0e000245f6d4f1ccf62b9ed67df244888495a1e904f0d4b1af
                                            • Instruction ID: 0472cc47743c23b4a69a508b70ba4da402f138558793fee8756d09e48af970e2
                                            • Opcode Fuzzy Hash: ee50b9dda5d22b0e000245f6d4f1ccf62b9ed67df244888495a1e904f0d4b1af
                                            • Instruction Fuzzy Hash: 08E04F32008740AFF7262B12FC05E777BA9EF04310F10C82DF4A6804B1DBA26C90DB14
                                            APIs
                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00706766,?,?,00000008,?,?,0070FEFE,00000000), ref: 00706998
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ExceptionRaise
                                            • String ID:
                                            • API String ID: 3997070919-0
                                            • Opcode ID: bafe0fec2148d9f80ad823e64421f9f7561004f523f59739c99b8bdad8f904e5
                                            • Instruction ID: 7e1ce935d055ed727ac09b44ab553ceba95f5c1b5a756cb68a1575e2e3a477ea
                                            • Opcode Fuzzy Hash: bafe0fec2148d9f80ad823e64421f9f7561004f523f59739c99b8bdad8f904e5
                                            • Instruction Fuzzy Hash: D1B10571610608DFDB15CF28C49AB657BE0FB45364F25C658E899CF2E2C339E9A1CB40
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 302f7e0a285ee33d16a564a68d366b9222082ee351ff8102c472410c7a6da864
                                            • Instruction ID: 0a38e2fa34a2571865719cf329d9a6ff479ba65fcd3c584dcf644860f6bfdf72
                                            • Opcode Fuzzy Hash: 302f7e0a285ee33d16a564a68d366b9222082ee351ff8102c472410c7a6da864
                                            • Instruction Fuzzy Hash: 11127F71901229DBCB54CF59D881AEEB7F5FF48310F1481AAE809EB255EB349E81CF91
                                            APIs
                                            • BlockInput.USER32(00000001), ref: 0074EABD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: BlockInput
                                            • String ID:
                                            • API String ID: 3456056419-0
                                            • Opcode ID: f3d81005c38b7611183402324b452e2980b936fdf5a5f03f3ac515f1accfb41a
                                            • Instruction ID: 40037cca7cd9eb2455f7838ba556cfbcf0cf3592421f0df82704f92a4fce4f06
                                            • Opcode Fuzzy Hash: f3d81005c38b7611183402324b452e2980b936fdf5a5f03f3ac515f1accfb41a
                                            • Instruction Fuzzy Hash: 11E01A312002059FC710EF59D804EAAB7E9BF98770F00C41AFD8AC7361DBB4A8408B94
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006F03EE), ref: 006F09DA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: f489ea8c91d0fb0b7a3c1d3df5387af7881b36bf58a62d3a021276c51cd31ab5
                                            • Instruction ID: affbd668b4b02449cdead1a49988709635f711dc891ddf25beb500da3dd9948e
                                            • Opcode Fuzzy Hash: f489ea8c91d0fb0b7a3c1d3df5387af7881b36bf58a62d3a021276c51cd31ab5
                                            • Instruction Fuzzy Hash:
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0
                                            • API String ID: 0-4108050209
                                            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                            • Instruction ID: 49cd43dd53e8c6a144dd8756219a9541778ea1c39d6a0f3090c4c4d325dec89c
                                            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                            • Instruction Fuzzy Hash: 6951797160C70D5BDB388968885E7FE67DB9B12380F18052EEB92D7382CA55DE03D35A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0&z
                                            • API String ID: 0-2820941700
                                            • Opcode ID: d13d7ad5f396863204dd0080da75ade720c532cb8c51b8f80897acd95b46c113
                                            • Instruction ID: 78fa2d245e396c6b82c44dd04dae84c5b4ab51d1a6adbcccf999210eff2e8e03
                                            • Opcode Fuzzy Hash: d13d7ad5f396863204dd0080da75ade720c532cb8c51b8f80897acd95b46c113
                                            • Instruction Fuzzy Hash: BD21E7323216118BD728CF79C82367E73E5A794310F148A2EE4A7C37D1DE3AA905CB84
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9c2066cb2894a89233c51479eac4db81d8b812cabec05727c6e5fca42b3365f
                                            • Instruction ID: 381d433856c0a6ee5eb19534b33c23f731c6521d023dbd8b145d0cc7e36860a5
                                            • Opcode Fuzzy Hash: a9c2066cb2894a89233c51479eac4db81d8b812cabec05727c6e5fca42b3365f
                                            • Instruction Fuzzy Hash: 9D32F221D29F418DD7279634CC22335A689AFB73C5F15D737E82AB59AAEB2DD4C38100
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e82e2b8fff1fdea07d106e46cdf284e001a0bed0978d97c4c53d528e9ae46c9
                                            • Instruction ID: aaca0146c2dc89ad00afd5e2e1306f3546f902c4b8fff4ad2527d53b354d3168
                                            • Opcode Fuzzy Hash: 5e82e2b8fff1fdea07d106e46cdf284e001a0bed0978d97c4c53d528e9ae46c9
                                            • Instruction Fuzzy Hash: FA323931A002A58BDF26CF29E490ABD77B2EF55310F38816AE449DB391D63CDD82DB51
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 431c43382036f0d3c292955f7b47c21ac02d47f6862e25cc1b5e868bfdd92abf
                                            • Instruction ID: a7fd4614074684c2e14e2281b999083a289a15b8dd61a8c58ccfec64ab8c6b87
                                            • Opcode Fuzzy Hash: 431c43382036f0d3c292955f7b47c21ac02d47f6862e25cc1b5e868bfdd92abf
                                            • Instruction Fuzzy Hash: A7229F70E04609DFDF18CF68C881AEEB7B6FF44300F14462AE816A7391EB39A955CB55
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0908df9e82fdb24098a1d2ac3dc79f2f6e43daada36e2dd574162c9fad42cba7
                                            • Instruction ID: 019e2c88f922e2e323763c35d3a9862419e3fe54cc70df31c9e81240140fddc2
                                            • Opcode Fuzzy Hash: 0908df9e82fdb24098a1d2ac3dc79f2f6e43daada36e2dd574162c9fad42cba7
                                            • Instruction Fuzzy Hash: 7E02A6B1E0020AEBDB14DF58D881AADB7B2FF44300F118169E8569B3D1EB35EE51CB95
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                            • Instruction ID: 48ef3eac350dbd7072957ac9b0e768a3e045c12662c550967848adc2fcb8dbc9
                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                            • Instruction Fuzzy Hash: 599152722090ABCADB2D427A857407DFFE25A933E231A079ED5F2CE2C1FD14C6559620
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a27130f7ea7df12b1d90b501ae831a013f3873148f0a08b9036079981984457
                                            • Instruction ID: 6834b538051ee04cdaa27bc7852b169284fef0925481475f05999aaa2a527a22
                                            • Opcode Fuzzy Hash: 4a27130f7ea7df12b1d90b501ae831a013f3873148f0a08b9036079981984457
                                            • Instruction Fuzzy Hash: 5461677120C70E9AEE749E2C8D95BFE2397DF52704F10095EEB42DB381DA51AE42C319
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                            • Instruction ID: 05cc462719febcc2cc4e493965056763b16b35087ac5558fbe30128067800669
                                            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                            • Instruction Fuzzy Hash: 9A8176325090A78ADB2D427A85340BEFFE35A933E131A079DD5F6CF2C1EE14D554E660
                                            APIs
                                            • DeleteObject.GDI32(00000000), ref: 00752B30
                                            • DeleteObject.GDI32(00000000), ref: 00752B43
                                            • DestroyWindow.USER32 ref: 00752B52
                                            • GetDesktopWindow.USER32 ref: 00752B6D
                                            • GetWindowRect.USER32(00000000), ref: 00752B74
                                            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00752CA3
                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00752CB1
                                            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752CF8
                                            • GetClientRect.USER32(00000000,?), ref: 00752D04
                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00752D40
                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D62
                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D75
                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D80
                                            • GlobalLock.KERNEL32(00000000), ref: 00752D89
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D98
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00752DA1
                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752DA8
                                            • GlobalFree.KERNEL32(00000000), ref: 00752DB3
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752DC5
                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0076FC38,00000000), ref: 00752DDB
                                            • GlobalFree.KERNEL32(00000000), ref: 00752DEB
                                            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00752E11
                                            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00752E30
                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752E52
                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0075303F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                            • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                            • API String ID: 2211948467-3613752883
                                            • Opcode ID: f5595ed05157340c7329c10a2d959f1f58b19d3bff0d5c2eab9e6e32c35dd2e4
                                            • Instruction ID: 14c82aa4abbbfd0fa01d2a284d004b6a8ef68a0de11b8e12991e8fc07b1321b2
                                            • Opcode Fuzzy Hash: f5595ed05157340c7329c10a2d959f1f58b19d3bff0d5c2eab9e6e32c35dd2e4
                                            • Instruction Fuzzy Hash: 89029F71900209EFDB15DF64DC89EAE7BB9FB49311F008109F915AB2A1DBB8AD05CF64
                                            APIs
                                            • SetTextColor.GDI32(?,00000000), ref: 0076712F
                                            • GetSysColorBrush.USER32(0000000F), ref: 00767160
                                            • GetSysColor.USER32(0000000F), ref: 0076716C
                                            • SetBkColor.GDI32(?,000000FF), ref: 00767186
                                            • SelectObject.GDI32(?,?), ref: 00767195
                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 007671C0
                                            • GetSysColor.USER32(00000010), ref: 007671C8
                                            • CreateSolidBrush.GDI32(00000000), ref: 007671CF
                                            • FrameRect.USER32(?,?,00000000), ref: 007671DE
                                            • DeleteObject.GDI32(00000000), ref: 007671E5
                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00767230
                                            • FillRect.USER32(?,?,?), ref: 00767262
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00767284
                                              • Part of subcall function 007673E8: GetSysColor.USER32(00000012), ref: 00767421
                                              • Part of subcall function 007673E8: SetTextColor.GDI32(?,?), ref: 00767425
                                              • Part of subcall function 007673E8: GetSysColorBrush.USER32(0000000F), ref: 0076743B
                                              • Part of subcall function 007673E8: GetSysColor.USER32(0000000F), ref: 00767446
                                              • Part of subcall function 007673E8: GetSysColor.USER32(00000011), ref: 00767463
                                              • Part of subcall function 007673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00767471
                                              • Part of subcall function 007673E8: SelectObject.GDI32(?,00000000), ref: 00767482
                                              • Part of subcall function 007673E8: SetBkColor.GDI32(?,00000000), ref: 0076748B
                                              • Part of subcall function 007673E8: SelectObject.GDI32(?,?), ref: 00767498
                                              • Part of subcall function 007673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007674B7
                                              • Part of subcall function 007673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007674CE
                                              • Part of subcall function 007673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007674DB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                            • String ID: @U=u
                                            • API String ID: 4124339563-2594219639
                                            • Opcode ID: 83529bec22323e96cb12cd5abb8bc6595aa20f2defab122157d32e4d62ec7db9
                                            • Instruction ID: 4b0e5bbc4b233345bf4b39c2bd8dd3a77010c4f2737830aa4d694ecc755e83cf
                                            • Opcode Fuzzy Hash: 83529bec22323e96cb12cd5abb8bc6595aa20f2defab122157d32e4d62ec7db9
                                            • Instruction Fuzzy Hash: F6A1C172008305EFDB069F60DC48E6B7BA9FF89364F104A19F9A3961E1D7B8E844CB55
                                            APIs
                                            • DestroyWindow.USER32(?,?), ref: 006E8E14
                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00726AC5
                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00726AFE
                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00726F43
                                              • Part of subcall function 006E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006E8BE8,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 006E8FC5
                                            • SendMessageW.USER32(?,00001053), ref: 00726F7F
                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00726F96
                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00726FAC
                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00726FB7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                            • String ID: 0$@U=u
                                            • API String ID: 2760611726-975001249
                                            • Opcode ID: 3f420435c19c67cce9ef405d329a357a3800991e6031a5731dfce5f5256c87bd
                                            • Instruction ID: c724ab0eb826f205c56a2924846857079c5eaca632d4beb3d7aa03b8300cf4ff
                                            • Opcode Fuzzy Hash: 3f420435c19c67cce9ef405d329a357a3800991e6031a5731dfce5f5256c87bd
                                            • Instruction Fuzzy Hash: AB12DE306012A1DFDB25DF24E844BB6B7E2FB45300F54846AF5898B261CB39EC92DF95
                                            APIs
                                            • DestroyWindow.USER32(00000000), ref: 0075273E
                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0075286A
                                            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007528A9
                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007528B9
                                            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00752900
                                            • GetClientRect.USER32(00000000,?), ref: 0075290C
                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00752955
                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00752964
                                            • GetStockObject.GDI32(00000011), ref: 00752974
                                            • SelectObject.GDI32(00000000,00000000), ref: 00752978
                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00752988
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00752991
                                            • DeleteDC.GDI32(00000000), ref: 0075299A
                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007529C6
                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 007529DD
                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00752A1D
                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00752A31
                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00752A42
                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00752A77
                                            • GetStockObject.GDI32(00000011), ref: 00752A82
                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00752A8D
                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00752A97
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                            • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                            • API String ID: 2910397461-2771358697
                                            • Opcode ID: d18e94631bf90796df279ce995486a89449f235ee8da0f223f79b8259d6598ab
                                            • Instruction ID: 3b431d28ec751e0e2ab31efd205dc064d2ec17bd1ac2c34280db8d5a36c3aeaa
                                            • Opcode Fuzzy Hash: d18e94631bf90796df279ce995486a89449f235ee8da0f223f79b8259d6598ab
                                            • Instruction Fuzzy Hash: 6EB19FB1A00215AFEB14DFA8DC45FAE7BA9EB49711F008115F915E7291D7B8ED00CF98
                                            APIs
                                            • GetSysColor.USER32(00000012), ref: 00767421
                                            • SetTextColor.GDI32(?,?), ref: 00767425
                                            • GetSysColorBrush.USER32(0000000F), ref: 0076743B
                                            • GetSysColor.USER32(0000000F), ref: 00767446
                                            • CreateSolidBrush.GDI32(?), ref: 0076744B
                                            • GetSysColor.USER32(00000011), ref: 00767463
                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00767471
                                            • SelectObject.GDI32(?,00000000), ref: 00767482
                                            • SetBkColor.GDI32(?,00000000), ref: 0076748B
                                            • SelectObject.GDI32(?,?), ref: 00767498
                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 007674B7
                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007674CE
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 007674DB
                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0076752A
                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00767554
                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00767572
                                            • DrawFocusRect.USER32(?,?), ref: 0076757D
                                            • GetSysColor.USER32(00000011), ref: 0076758E
                                            • SetTextColor.GDI32(?,00000000), ref: 00767596
                                            • DrawTextW.USER32(?,007670F5,000000FF,?,00000000), ref: 007675A8
                                            • SelectObject.GDI32(?,?), ref: 007675BF
                                            • DeleteObject.GDI32(?), ref: 007675CA
                                            • SelectObject.GDI32(?,?), ref: 007675D0
                                            • DeleteObject.GDI32(?), ref: 007675D5
                                            • SetTextColor.GDI32(?,?), ref: 007675DB
                                            • SetBkColor.GDI32(?,?), ref: 007675E5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                            • String ID: @U=u
                                            • API String ID: 1996641542-2594219639
                                            • Opcode ID: 1002524aa40d90c3a4a00a24e2c2e80c7674272713d63c48f3d84b2c5baa4bd5
                                            • Instruction ID: 5e77953fe0ae5e53e073ba6c4d726d11ad724c936057cc3fc1a2ae2c0381b77a
                                            • Opcode Fuzzy Hash: 1002524aa40d90c3a4a00a24e2c2e80c7674272713d63c48f3d84b2c5baa4bd5
                                            • Instruction Fuzzy Hash: 2C616072900218AFDF069FA4DC49EAE7F79EF09360F118115F916AB2A1D7B89940CF94
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00744AED
                                            • GetDriveTypeW.KERNEL32(?,0076CB68,?,\\.\,0076CC08), ref: 00744BCA
                                            • SetErrorMode.KERNEL32(00000000,0076CB68,?,\\.\,0076CC08), ref: 00744D36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorMode$DriveType
                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                            • API String ID: 2907320926-4222207086
                                            • Opcode ID: 943cad5ac290c8550dc909ad4bb9315388e75ed6c37bb7ca204a685dc27897a3
                                            • Instruction ID: 3a58bc7a985b63cb0183a992cc02bb70f01550bdfcd92e2eeda452b9ffbda9ef
                                            • Opcode Fuzzy Hash: 943cad5ac290c8550dc909ad4bb9315388e75ed6c37bb7ca204a685dc27897a3
                                            • Instruction Fuzzy Hash: 7E61AFB0B05205DBCF04DF24DAD2A78B7B1EB05341B28851AF806AB691DB3DED41FB65
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 007602E5
                                            • _wcslen.LIBCMT ref: 0076031F
                                            • _wcslen.LIBCMT ref: 00760389
                                            • _wcslen.LIBCMT ref: 007603F1
                                            • _wcslen.LIBCMT ref: 00760475
                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007604C5
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00760504
                                              • Part of subcall function 006EF9F2: _wcslen.LIBCMT ref: 006EF9FD
                                              • Part of subcall function 0073223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00732258
                                              • Part of subcall function 0073223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0073228A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                            • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                            • API String ID: 1103490817-1753161424
                                            • Opcode ID: b0687760aadea202d0b29d0894d8dc8c0343f313711977c67ba5a1b79036be7c
                                            • Instruction ID: 66262d7673ca1f9feee3293f4e2ffc4d412a22eedae870d1cc206f5c3b4961b6
                                            • Opcode Fuzzy Hash: b0687760aadea202d0b29d0894d8dc8c0343f313711977c67ba5a1b79036be7c
                                            • Instruction Fuzzy Hash: 75E19C312182418FCB28DF24C45083BB7E6BF89314B14496DF8979B3A2DB38ED45CB91
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 00761128
                                            • GetDesktopWindow.USER32 ref: 0076113D
                                            • GetWindowRect.USER32(00000000), ref: 00761144
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00761199
                                            • DestroyWindow.USER32(?), ref: 007611B9
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007611ED
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0076120B
                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0076121D
                                            • SendMessageW.USER32(00000000,00000421,?,?), ref: 00761232
                                            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00761245
                                            • IsWindowVisible.USER32(00000000), ref: 007612A1
                                            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007612BC
                                            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007612D0
                                            • GetWindowRect.USER32(00000000,?), ref: 007612E8
                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 0076130E
                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00761328
                                            • CopyRect.USER32(?,?), ref: 0076133F
                                            • SendMessageW.USER32(00000000,00000412,00000000), ref: 007613AA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                            • String ID: ($0$tooltips_class32
                                            • API String ID: 698492251-4156429822
                                            • Opcode ID: 51f1f5a2ef300bdacf789e752000f07e32a24241baa57f5194a2af815d7a2a3f
                                            • Instruction ID: dfedbd7fac7fcbcedf2abbcb37c2fb22ad7444279f19c7ed3efc658e5483ad75
                                            • Opcode Fuzzy Hash: 51f1f5a2ef300bdacf789e752000f07e32a24241baa57f5194a2af815d7a2a3f
                                            • Instruction Fuzzy Hash: 90B1BC71604341AFDB44DF64C888B6ABBE4FF88300F44891DF99A9B2A1C774E844CB96
                                            APIs
                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E8968
                                            • GetSystemMetrics.USER32(00000007), ref: 006E8970
                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E899B
                                            • GetSystemMetrics.USER32(00000008), ref: 006E89A3
                                            • GetSystemMetrics.USER32(00000004), ref: 006E89C8
                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006E89E5
                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006E89F5
                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006E8A28
                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006E8A3C
                                            • GetClientRect.USER32(00000000,000000FF), ref: 006E8A5A
                                            • GetStockObject.GDI32(00000011), ref: 006E8A76
                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 006E8A81
                                              • Part of subcall function 006E912D: GetCursorPos.USER32(?), ref: 006E9141
                                              • Part of subcall function 006E912D: ScreenToClient.USER32(00000000,?), ref: 006E915E
                                              • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000001), ref: 006E9183
                                              • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000002), ref: 006E919D
                                            • SetTimer.USER32(00000000,00000000,00000028,006E90FC), ref: 006E8AA8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                            • String ID: @U=u$AutoIt v3 GUI
                                            • API String ID: 1458621304-2077007950
                                            • Opcode ID: 90ca036b657eb90872723f3038cff3e8c8f60c3b23119ed548afd0cfc702bdf6
                                            • Instruction ID: fe331e6d99001d01456d9528e8ce7a5db171a5cce4727d6a11fed194aaf2b0c1
                                            • Opcode Fuzzy Hash: 90ca036b657eb90872723f3038cff3e8c8f60c3b23119ed548afd0cfc702bdf6
                                            • Instruction Fuzzy Hash: 00B18F75A003599FDB14DFA8DC45BAE3BB5FB48314F10822AFA16A7290DB78E841CF54
                                            APIs
                                            • LoadIconW.USER32(00000063), ref: 00735A2E
                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00735A40
                                            • SetWindowTextW.USER32(?,?), ref: 00735A57
                                            • GetDlgItem.USER32(?,000003EA), ref: 00735A6C
                                            • SetWindowTextW.USER32(00000000,?), ref: 00735A72
                                            • GetDlgItem.USER32(?,000003E9), ref: 00735A82
                                            • SetWindowTextW.USER32(00000000,?), ref: 00735A88
                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00735AA9
                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00735AC3
                                            • GetWindowRect.USER32(?,?), ref: 00735ACC
                                            • _wcslen.LIBCMT ref: 00735B33
                                            • SetWindowTextW.USER32(?,?), ref: 00735B6F
                                            • GetDesktopWindow.USER32 ref: 00735B75
                                            • GetWindowRect.USER32(00000000), ref: 00735B7C
                                            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00735BD3
                                            • GetClientRect.USER32(?,?), ref: 00735BE0
                                            • PostMessageW.USER32(?,00000005,00000000,?), ref: 00735C05
                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00735C2F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                            • String ID: @U=u
                                            • API String ID: 895679908-2594219639
                                            • Opcode ID: bd7462111b9fd9440a9b398c3dd00e82ef9826fbbcf745ab37f591e42f29a42c
                                            • Instruction ID: e5fc60b5c4976b6e09ffbd9301ec72b4a315fc50e295a05c331f14811f42206d
                                            • Opcode Fuzzy Hash: bd7462111b9fd9440a9b398c3dd00e82ef9826fbbcf745ab37f591e42f29a42c
                                            • Instruction Fuzzy Hash: 79718E71900B09EFEB21DFA8CE85BAEBBF5FF48704F104518E582A25A1D779E940CB54
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 007609C6
                                            • _wcslen.LIBCMT ref: 00760A01
                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00760A54
                                            • _wcslen.LIBCMT ref: 00760A8A
                                            • _wcslen.LIBCMT ref: 00760B06
                                            • _wcslen.LIBCMT ref: 00760B81
                                              • Part of subcall function 006EF9F2: _wcslen.LIBCMT ref: 006EF9FD
                                              • Part of subcall function 00732BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00732BFA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                            • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                            • API String ID: 1103490817-383632319
                                            • Opcode ID: b4af81b1ddc4968bd0f79cd10d5f0c44f1160a1528fd0e358bf02ff7ce68ed49
                                            • Instruction ID: 04dbe636cf8e561c7d453acd2a8e7893e6bc889a1034b387f0f490ce66d3a86b
                                            • Opcode Fuzzy Hash: b4af81b1ddc4968bd0f79cd10d5f0c44f1160a1528fd0e358bf02ff7ce68ed49
                                            • Instruction Fuzzy Hash: B1E19B716087018FCB14DF24C45092BB7E2BF98354F148A5DF89A9B3A2DB39ED45CB92
                                            APIs
                                              • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00731114
                                              • Part of subcall function 007310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731120
                                              • Part of subcall function 007310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 0073112F
                                              • Part of subcall function 007310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731136
                                              • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073114D
                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00730DF5
                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00730E29
                                            • GetLengthSid.ADVAPI32(?), ref: 00730E40
                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00730E7A
                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00730E96
                                            • GetLengthSid.ADVAPI32(?), ref: 00730EAD
                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00730EB5
                                            • HeapAlloc.KERNEL32(00000000), ref: 00730EBC
                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00730EDD
                                            • CopySid.ADVAPI32(00000000), ref: 00730EE4
                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00730F13
                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00730F35
                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00730F47
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730F6E
                                            • HeapFree.KERNEL32(00000000), ref: 00730F75
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730F7E
                                            • HeapFree.KERNEL32(00000000), ref: 00730F85
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730F8E
                                            • HeapFree.KERNEL32(00000000), ref: 00730F95
                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00730FA1
                                            • HeapFree.KERNEL32(00000000), ref: 00730FA8
                                              • Part of subcall function 00731193: GetProcessHeap.KERNEL32(00000008,00730BB1,?,00000000,?,00730BB1,?), ref: 007311A1
                                              • Part of subcall function 00731193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00730BB1,?), ref: 007311A8
                                              • Part of subcall function 00731193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00730BB1,?), ref: 007311B7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                            • String ID:
                                            • API String ID: 4175595110-0
                                            • Opcode ID: e0830977437497ec22398bdbf383c3b791d1770c116ca8d3355a8563cac0c123
                                            • Instruction ID: c366cb2ccd8912e91f2d12477ee66689e63de2c464b4d817d65b030004802b09
                                            • Opcode Fuzzy Hash: e0830977437497ec22398bdbf383c3b791d1770c116ca8d3355a8563cac0c123
                                            • Instruction Fuzzy Hash: 79715FB190020AEBEF219FA4DC49FBEBBB8BF05700F048115F959A6152D7799A05CBA0
                                            APIs
                                            • _wcslen.LIBCMT ref: 0076835A
                                            • _wcslen.LIBCMT ref: 0076836E
                                            • _wcslen.LIBCMT ref: 00768391
                                            • _wcslen.LIBCMT ref: 007683B4
                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007683F2
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0076361A,?), ref: 0076844E
                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00768487
                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007684CA
                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00768501
                                            • FreeLibrary.KERNEL32(?), ref: 0076850D
                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0076851D
                                            • DestroyIcon.USER32(?), ref: 0076852C
                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00768549
                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00768555
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                            • String ID: .dll$.exe$.icl$@U=u
                                            • API String ID: 799131459-1639919054
                                            • Opcode ID: d1ff607b6ce1307a88a1248954ea99055940d1b6e9293a6d181f2625c7cc5108
                                            • Instruction ID: 9ed7bf26ed66169a14c575a7095c0dc1af235f3b816747f53ebc24dd89417597
                                            • Opcode Fuzzy Hash: d1ff607b6ce1307a88a1248954ea99055940d1b6e9293a6d181f2625c7cc5108
                                            • Instruction Fuzzy Hash: E861D171540219BAEB54DF64CC41BBF7BA8FB04711F10860AFD16D61D1DFB8AA50C7A4
                                            APIs
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075C4BD
                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0076CC08,00000000,?,00000000,?,?), ref: 0075C544
                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0075C5A4
                                            • _wcslen.LIBCMT ref: 0075C5F4
                                            • _wcslen.LIBCMT ref: 0075C66F
                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0075C6B2
                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0075C7C1
                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0075C84D
                                            • RegCloseKey.ADVAPI32(?), ref: 0075C881
                                            • RegCloseKey.ADVAPI32(00000000), ref: 0075C88E
                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0075C960
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                            • API String ID: 9721498-966354055
                                            • Opcode ID: 60c8ce686347c88c37b4e0f9e0312b53db0b2d6a887a3d23fc236105d52efca2
                                            • Instruction ID: 3d1e5a5c1bf9f969cf39678abe4ae1ea190436f0a9e9305c36b4f5bb90e4cf64
                                            • Opcode Fuzzy Hash: 60c8ce686347c88c37b4e0f9e0312b53db0b2d6a887a3d23fc236105d52efca2
                                            • Instruction Fuzzy Hash: 041265316043019FDB15DF14C881B6AB7E6EF88714F04889DF88A9B3A2DB75ED45CB86
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$BuffCharUpper
                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                            • API String ID: 1256254125-909552448
                                            • Opcode ID: de7dfea91e7efa3be898fd113bfdd0781fe4e29cbb1a4b5c8a086a0451928232
                                            • Instruction ID: f87b5bd4aac68ed4e85dc9caf4e280d90faeda04030946cff4c211237e982e9c
                                            • Opcode Fuzzy Hash: de7dfea91e7efa3be898fd113bfdd0781fe4e29cbb1a4b5c8a086a0451928232
                                            • Instruction Fuzzy Hash: 2171163260036A8FCF22DE7CCD417FB37929B61751B244528FC56A7284EAB9CD48C3A4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                            • API String ID: 0-1645009161
                                            • Opcode ID: 9b53fa1b3889419c466f18fbe3adbbf63fb740e8696a2d3c374eeb7cee9cf4a8
                                            • Instruction ID: 38c1538164f9b5bcfe7b821dc5538857447e3ed4f05df522a62635104860f13a
                                            • Opcode Fuzzy Hash: 9b53fa1b3889419c466f18fbe3adbbf63fb740e8696a2d3c374eeb7cee9cf4a8
                                            • Instruction Fuzzy Hash: 978119B1A00209BBDB25AF64DC42FFE3766AF55300F04442AF905AB292FB74D941D7A5
                                            APIs
                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00768592
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 007685A2
                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 007685AD
                                            • CloseHandle.KERNEL32(00000000), ref: 007685BA
                                            • GlobalLock.KERNEL32(00000000), ref: 007685C8
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007685D7
                                            • GlobalUnlock.KERNEL32(00000000), ref: 007685E0
                                            • CloseHandle.KERNEL32(00000000), ref: 007685E7
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007685F8
                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0076FC38,?), ref: 00768611
                                            • GlobalFree.KERNEL32(00000000), ref: 00768621
                                            • GetObjectW.GDI32(?,00000018,000000FF), ref: 00768641
                                            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00768671
                                            • DeleteObject.GDI32(00000000), ref: 00768699
                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007686AF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                            • String ID: @U=u
                                            • API String ID: 3840717409-2594219639
                                            • Opcode ID: eb3c30d5affcfa0ccd82823cd27a89650dc7dd919516fa932f8fecbc162b5ce3
                                            • Instruction ID: 5ebb3cbf9c5c1b90859c4d049f1c11b3e252c764ba5b04a3f02b637f2a98c6dd
                                            • Opcode Fuzzy Hash: eb3c30d5affcfa0ccd82823cd27a89650dc7dd919516fa932f8fecbc162b5ce3
                                            • Instruction Fuzzy Hash: A8412875600208AFDB129FA5CC48EAA7BB8FF89B11F108159FD46E7261DB789D01CF25
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen
                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[y
                                            • API String ID: 176396367-3387399910
                                            • Opcode ID: 98a7ece8accede00da7a48507520c300edbb011be0d88278d20f48b12fde8959
                                            • Instruction ID: 040b674cb789fe72fafa46d0a0cce46a2112abe4a959f54d375696d2b52a7210
                                            • Opcode Fuzzy Hash: 98a7ece8accede00da7a48507520c300edbb011be0d88278d20f48b12fde8959
                                            • Instruction Fuzzy Hash: 0FE1E632A005269BEF359FB8C4516FEFBB1BF44710F54812AE456E7242DB38AE4587D0
                                            APIs
                                              • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                            • DragQueryPoint.SHELL32(?,?), ref: 00769147
                                              • Part of subcall function 00767674: ClientToScreen.USER32(?,?), ref: 0076769A
                                              • Part of subcall function 00767674: GetWindowRect.USER32(?,?), ref: 00767710
                                              • Part of subcall function 00767674: PtInRect.USER32(?,?,00768B89), ref: 00767720
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 007691B0
                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007691BB
                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007691DE
                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00769225
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0076923E
                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00769255
                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00769277
                                            • DragFinish.SHELL32(?), ref: 0076927E
                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00769371
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$p#z
                                            • API String ID: 221274066-1246384514
                                            • Opcode ID: 756ad91427686e561ccce6e17cecd414268d9a8f7f0373d83dae252c36d10f58
                                            • Instruction ID: 20594622f7e8b337e6cbfa15bc3dedc2908bf26f51c96fc560a9fcf049e175f2
                                            • Opcode Fuzzy Hash: 756ad91427686e561ccce6e17cecd414268d9a8f7f0373d83dae252c36d10f58
                                            • Instruction Fuzzy Hash: 8E619B71508301AFC701DF60DC85DAFBBE9EFC9750F00492EF596922A0DB749A09CB66
                                            APIs
                                            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006F00C6
                                              • Part of subcall function 006F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007A070C,00000FA0,F5654462,?,?,?,?,007123B3,000000FF), ref: 006F011C
                                              • Part of subcall function 006F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007123B3,000000FF), ref: 006F0127
                                              • Part of subcall function 006F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007123B3,000000FF), ref: 006F0138
                                              • Part of subcall function 006F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006F014E
                                              • Part of subcall function 006F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006F015C
                                              • Part of subcall function 006F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006F016A
                                              • Part of subcall function 006F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006F0195
                                              • Part of subcall function 006F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006F01A0
                                            • ___scrt_fastfail.LIBCMT ref: 006F00E7
                                              • Part of subcall function 006F00A3: __onexit.LIBCMT ref: 006F00A9
                                            Strings
                                            • kernel32.dll, xrefs: 006F0133
                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 006F0122
                                            • InitializeConditionVariable, xrefs: 006F0148
                                            • WakeAllConditionVariable, xrefs: 006F0162
                                            • SleepConditionVariableCS, xrefs: 006F0154
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                            • API String ID: 66158676-1714406822
                                            • Opcode ID: 6bd65af9ed493c8fa03855f3d70aad972db18e670e984b24461f714dbbb2fee1
                                            • Instruction ID: e24a7f522972086bf83ff5013222f03e4ca6482920ad853d092288d3f28995da
                                            • Opcode Fuzzy Hash: 6bd65af9ed493c8fa03855f3d70aad972db18e670e984b24461f714dbbb2fee1
                                            • Instruction Fuzzy Hash: D1210E726457196BFB11ABF4AC05B7A3396EB46B51F104539FD0293392DFBC6C008A98
                                            APIs
                                            • CharLowerBuffW.USER32(00000000,00000000,0076CC08), ref: 00744527
                                            • _wcslen.LIBCMT ref: 0074453B
                                            • _wcslen.LIBCMT ref: 00744599
                                            • _wcslen.LIBCMT ref: 007445F4
                                            • _wcslen.LIBCMT ref: 0074463F
                                            • _wcslen.LIBCMT ref: 007446A7
                                              • Part of subcall function 006EF9F2: _wcslen.LIBCMT ref: 006EF9FD
                                            • GetDriveTypeW.KERNEL32(?,00796BF0,00000061), ref: 00744743
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$BuffCharDriveLowerType
                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                            • API String ID: 2055661098-1000479233
                                            • Opcode ID: 2ff707f14f4fd79194ab6d13c4dbddac39cc9da941895c77acb8ac107f70ef58
                                            • Instruction ID: f34687a7da7809d218eba8213f9a73587bcce700bb4f577d60b9a33e96ab7d58
                                            • Opcode Fuzzy Hash: 2ff707f14f4fd79194ab6d13c4dbddac39cc9da941895c77acb8ac107f70ef58
                                            • Instruction Fuzzy Hash: D0B1F2716083029FC710DF28D890A7AB7E5BFA6760F504A1DF496C7291EB38D845DBA2
                                            APIs
                                            • DestroyWindow.USER32(?,?), ref: 00766DEB
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00766E5F
                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00766E81
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00766E94
                                            • DestroyWindow.USER32(?), ref: 00766EB5
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006D0000,00000000), ref: 00766EE4
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00766EFD
                                            • GetDesktopWindow.USER32 ref: 00766F16
                                            • GetWindowRect.USER32(00000000), ref: 00766F1D
                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00766F35
                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00766F4D
                                              • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                            • String ID: 0$@U=u$tooltips_class32
                                            • API String ID: 2429346358-1130792468
                                            • Opcode ID: 191b8d542b2494c2e41f250a23be50da6f5f320f2bbf34e9c88cdaa78826e270
                                            • Instruction ID: d87ebba7d47b521b59e25487d28d154e75642803ade32e3ee881fafeca5263a7
                                            • Opcode Fuzzy Hash: 191b8d542b2494c2e41f250a23be50da6f5f320f2bbf34e9c88cdaa78826e270
                                            • Instruction Fuzzy Hash: D2716674104340AFEB21CF18D844EBABBE9FB99304F84445EF99A87261C779E916CB19
                                            APIs
                                            • _wcslen.LIBCMT ref: 0075B198
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0075B1B0
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0075B1D4
                                            • _wcslen.LIBCMT ref: 0075B200
                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0075B214
                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0075B236
                                            • _wcslen.LIBCMT ref: 0075B332
                                              • Part of subcall function 007405A7: GetStdHandle.KERNEL32(000000F6), ref: 007405C6
                                            • _wcslen.LIBCMT ref: 0075B34B
                                            • _wcslen.LIBCMT ref: 0075B366
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0075B3B6
                                            • GetLastError.KERNEL32(00000000), ref: 0075B407
                                            • CloseHandle.KERNEL32(?), ref: 0075B439
                                            • CloseHandle.KERNEL32(00000000), ref: 0075B44A
                                            • CloseHandle.KERNEL32(00000000), ref: 0075B45C
                                            • CloseHandle.KERNEL32(00000000), ref: 0075B46E
                                            • CloseHandle.KERNEL32(?), ref: 0075B4E3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                            • String ID:
                                            • API String ID: 2178637699-0
                                            • Opcode ID: 14487b356ea797d98a3725f65ab54ec3dc5778d46c6118c1f7cfe0a18a96dfe1
                                            • Instruction ID: 8a069dc9506b9730d9e87a6e3fe8491c36a3174ce7ac5b834e27a111a506f05e
                                            • Opcode Fuzzy Hash: 14487b356ea797d98a3725f65ab54ec3dc5778d46c6118c1f7cfe0a18a96dfe1
                                            • Instruction Fuzzy Hash: C7F18C31604340DFC764EF24C891B6EBBE1AF85310F14855EF8999B2A2DB75EC48CB96
                                            APIs
                                            • GetMenuItemCount.USER32(007A1990), ref: 00712F8D
                                            • GetMenuItemCount.USER32(007A1990), ref: 0071303D
                                            • GetCursorPos.USER32(?), ref: 00713081
                                            • SetForegroundWindow.USER32(00000000), ref: 0071308A
                                            • TrackPopupMenuEx.USER32(007A1990,00000000,?,00000000,00000000,00000000), ref: 0071309D
                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007130A9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                            • String ID: 0
                                            • API String ID: 36266755-4108050209
                                            • Opcode ID: a0fa88e954e6508ebd3dd3cfb17ddcd697d842660a91e1109ad3707e9c9d372d
                                            • Instruction ID: 312b12dc30439dbbb5635d9f7e9a28ea5d2ad112ed8205ad4770f427095123e0
                                            • Opcode Fuzzy Hash: a0fa88e954e6508ebd3dd3cfb17ddcd697d842660a91e1109ad3707e9c9d372d
                                            • Instruction Fuzzy Hash: FB712A70A44215BEFB218F28CC49FEABF69FF04324F204207F5156A2E1C7B9A965CB55
                                            APIs
                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0074C4B0
                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0074C4C3
                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0074C4D7
                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0074C4F0
                                            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0074C533
                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0074C549
                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0074C554
                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0074C584
                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0074C5DC
                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0074C5F0
                                            • InternetCloseHandle.WININET(00000000), ref: 0074C5FB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                            • String ID:
                                            • API String ID: 3800310941-3916222277
                                            • Opcode ID: d3eaba74513dce57d48ef928219fc7d48b4ce0d210665a889e09e64584309048
                                            • Instruction ID: c7cd51456fce75c2fe57731f67fd84d72ab91f73504c1b401c987aa4210b7f58
                                            • Opcode Fuzzy Hash: d3eaba74513dce57d48ef928219fc7d48b4ce0d210665a889e09e64584309048
                                            • Instruction Fuzzy Hash: F9518EB1501308BFDB629F65C948ABBBBFCFF08344F108419F98696210DB78E914DB60
                                            APIs
                                            • VariantInit.OLEAUT32(00000000), ref: 00741502
                                            • VariantCopy.OLEAUT32(?,?), ref: 0074150B
                                            • VariantClear.OLEAUT32(?), ref: 00741517
                                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007415FB
                                            • VarR8FromDec.OLEAUT32(?,?), ref: 00741657
                                            • VariantInit.OLEAUT32(?), ref: 00741708
                                            • SysFreeString.OLEAUT32(?), ref: 0074178C
                                            • VariantClear.OLEAUT32(?), ref: 007417D8
                                            • VariantClear.OLEAUT32(?), ref: 007417E7
                                            • VariantInit.OLEAUT32(00000000), ref: 00741823
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                            • API String ID: 1234038744-3931177956
                                            • Opcode ID: 05228d4c3f8b1cc9573b3d7f44bef767aa7c55e9fb1e4406a7e8f8bc1c33183b
                                            • Instruction ID: 5e126d131e37f5975fa5dc322948794febb279cdd899d2c5552e4875c3c40ff9
                                            • Opcode Fuzzy Hash: 05228d4c3f8b1cc9573b3d7f44bef767aa7c55e9fb1e4406a7e8f8bc1c33183b
                                            • Instruction Fuzzy Hash: 4DD1E271A00219DBDB00FF65D885BB9FBB6BF44700F54815AF446AB280DB38EC91DBA1
                                            APIs
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                              • Part of subcall function 0075C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075B6AE,?,?), ref: 0075C9B5
                                              • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075C9F1
                                              • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA68
                                              • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA9E
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075B6F4
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075B772
                                            • RegDeleteValueW.ADVAPI32(?,?), ref: 0075B80A
                                            • RegCloseKey.ADVAPI32(?), ref: 0075B87E
                                            • RegCloseKey.ADVAPI32(?), ref: 0075B89C
                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0075B8F2
                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0075B904
                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0075B922
                                            • FreeLibrary.KERNEL32(00000000), ref: 0075B983
                                            • RegCloseKey.ADVAPI32(00000000), ref: 0075B994
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                            • API String ID: 146587525-4033151799
                                            • Opcode ID: ce366675221b07dc4a002bc98296aed2713ea70288fc0038b65e222dd3ddce04
                                            • Instruction ID: da68f1e1edd1ca2d0e375a5f745c1c7fdb33612ca775d12da4eda411db99b46f
                                            • Opcode Fuzzy Hash: ce366675221b07dc4a002bc98296aed2713ea70288fc0038b65e222dd3ddce04
                                            • Instruction Fuzzy Hash: 5FC16C30604201EFD714DF14C495F6ABBE5AF84319F14859DF89A8B3A2CBB9EC49CB91
                                            APIs
                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00765504
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00765515
                                            • CharNextW.USER32(00000158), ref: 00765544
                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00765585
                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0076559B
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007655AC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$CharNext
                                            • String ID: @U=u
                                            • API String ID: 1350042424-2594219639
                                            • Opcode ID: a9f19b519fba1ca7e1668433fffe26b91a0a4dee532c32914e6578a40c3d989e
                                            • Instruction ID: a9d3765b25db9d9cb9c25acf3f0b136b4d4e2724887bcd4f0457ca8e471b50d3
                                            • Opcode Fuzzy Hash: a9f19b519fba1ca7e1668433fffe26b91a0a4dee532c32914e6578a40c3d989e
                                            • Instruction Fuzzy Hash: FB618E30900609EFDF118F64CC84DFE7BB9EB05724F108185F967A6291DB7C9A80EB60
                                            APIs
                                            • GetDC.USER32(00000000), ref: 007525D8
                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007525E8
                                            • CreateCompatibleDC.GDI32(?), ref: 007525F4
                                            • SelectObject.GDI32(00000000,?), ref: 00752601
                                            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0075266D
                                            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007526AC
                                            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007526D0
                                            • SelectObject.GDI32(?,?), ref: 007526D8
                                            • DeleteObject.GDI32(?), ref: 007526E1
                                            • DeleteDC.GDI32(?), ref: 007526E8
                                            • ReleaseDC.USER32(00000000,?), ref: 007526F3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                            • String ID: (
                                            • API String ID: 2598888154-3887548279
                                            • Opcode ID: a5b557801b3e335e7a8b98bd6df2233d65f3165b0df985cacdba4526e8b0ffbd
                                            • Instruction ID: 339b68b6ccc4e8b2b747b313eb488de7da2ea882d66853ce70fb172437d29f44
                                            • Opcode Fuzzy Hash: a5b557801b3e335e7a8b98bd6df2233d65f3165b0df985cacdba4526e8b0ffbd
                                            • Instruction Fuzzy Hash: FA6105B5D00219EFCF05CFA4D884AAEBBF5FF48310F208529E956A7251E7B4A941CF94
                                            APIs
                                            • timeGetTime.WINMM ref: 0073E6B4
                                              • Part of subcall function 006EE551: timeGetTime.WINMM(?,?,0073E6D4), ref: 006EE555
                                            • Sleep.KERNEL32(0000000A), ref: 0073E6E1
                                            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0073E705
                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0073E727
                                            • SetActiveWindow.USER32 ref: 0073E746
                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0073E754
                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 0073E773
                                            • Sleep.KERNEL32(000000FA), ref: 0073E77E
                                            • IsWindow.USER32 ref: 0073E78A
                                            • EndDialog.USER32(00000000), ref: 0073E79B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                            • String ID: @U=u$BUTTON
                                            • API String ID: 1194449130-2582809321
                                            • Opcode ID: fc667f9e1056235d70f9d9d2e829fa35b1041ac5780bf39ff9e35c545dc4f876
                                            • Instruction ID: 45b46c6be4eaf3b4137bb4aeeb3ae404af5ceccf8a5c06e72832753c35833b95
                                            • Opcode Fuzzy Hash: fc667f9e1056235d70f9d9d2e829fa35b1041ac5780bf39ff9e35c545dc4f876
                                            • Instruction Fuzzy Hash: 0D2184B0241305EFFB125F64EC99A353B69F796348F108425F55682AE3DBBD9C118B2C
                                            APIs
                                            • ___free_lconv_mon.LIBCMT ref: 0070DAA1
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D659
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D66B
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D67D
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D68F
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6A1
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6B3
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6C5
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6D7
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6E9
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6FB
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D70D
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D71F
                                              • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D731
                                            • _free.LIBCMT ref: 0070DA96
                                              • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                              • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                            • _free.LIBCMT ref: 0070DAB8
                                            • _free.LIBCMT ref: 0070DACD
                                            • _free.LIBCMT ref: 0070DAD8
                                            • _free.LIBCMT ref: 0070DAFA
                                            • _free.LIBCMT ref: 0070DB0D
                                            • _free.LIBCMT ref: 0070DB1B
                                            • _free.LIBCMT ref: 0070DB26
                                            • _free.LIBCMT ref: 0070DB5E
                                            • _free.LIBCMT ref: 0070DB65
                                            • _free.LIBCMT ref: 0070DB82
                                            • _free.LIBCMT ref: 0070DB9A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                            • String ID:
                                            • API String ID: 161543041-0
                                            • Opcode ID: 0b50f2e46493ae6a8fa6652d446d4f72f3fbf7efdec349bbdef2f80f4d200b3d
                                            • Instruction ID: 6018ebed41e9d267bea4c28b79fa41bbac574d83e224d63c9a569dc357b537f2
                                            • Opcode Fuzzy Hash: 0b50f2e46493ae6a8fa6652d446d4f72f3fbf7efdec349bbdef2f80f4d200b3d
                                            • Instruction Fuzzy Hash: B0313BB2604305DFEB31AAB9E849B5677E9FF00310F254629E449E71E2DB79BC41CB20
                                            APIs
                                            • GetClassNameW.USER32(?,?,00000100), ref: 0073369C
                                            • _wcslen.LIBCMT ref: 007336A7
                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00733797
                                            • GetClassNameW.USER32(?,?,00000400), ref: 0073380C
                                            • GetDlgCtrlID.USER32(?), ref: 0073385D
                                            • GetWindowRect.USER32(?,?), ref: 00733882
                                            • GetParent.USER32(?), ref: 007338A0
                                            • ScreenToClient.USER32(00000000), ref: 007338A7
                                            • GetClassNameW.USER32(?,?,00000100), ref: 00733921
                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0073395D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                            • String ID: %s%u
                                            • API String ID: 4010501982-679674701
                                            • Opcode ID: 5b86906b69c6d471b1fb5825197008676316b16e2cc47cdb9842836720eeaff3
                                            • Instruction ID: 77a44cab104a3df3e87f57f2509f6c521f3c2253fe6fecfc8bcadcfbe7e3cc6a
                                            • Opcode Fuzzy Hash: 5b86906b69c6d471b1fb5825197008676316b16e2cc47cdb9842836720eeaff3
                                            • Instruction Fuzzy Hash: FC91B371204706EFE725DF24C885BEAF7A9FF44314F008619FA9AC2151DB78EA45CBA1
                                            APIs
                                            • GetClassNameW.USER32(?,?,00000400), ref: 00734994
                                            • GetWindowTextW.USER32(?,?,00000400), ref: 007349DA
                                            • _wcslen.LIBCMT ref: 007349EB
                                            • CharUpperBuffW.USER32(?,00000000), ref: 007349F7
                                            • _wcsstr.LIBVCRUNTIME ref: 00734A2C
                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00734A64
                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00734A9D
                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00734AE6
                                            • GetClassNameW.USER32(?,?,00000400), ref: 00734B20
                                            • GetWindowRect.USER32(?,?), ref: 00734B8B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                            • String ID: ThumbnailClass
                                            • API String ID: 1311036022-1241985126
                                            • Opcode ID: cc00528501475ab3f434850dab90e39b297c74276aaec789c25e82aa852bc4cc
                                            • Instruction ID: 3fb23d8e35cc4b88847fddd582befdc8fbffc90a06de1bce9d5188855df0817b
                                            • Opcode Fuzzy Hash: cc00528501475ab3f434850dab90e39b297c74276aaec789c25e82aa852bc4cc
                                            • Instruction Fuzzy Hash: 8691DE711042099FEB08CF14C985BBAB7E9FF84314F04846AFD869A196DB38FD45CBA5
                                            APIs
                                              • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00768D5A
                                            • GetFocus.USER32 ref: 00768D6A
                                            • GetDlgCtrlID.USER32(00000000), ref: 00768D75
                                            • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00768E1D
                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00768ECF
                                            • GetMenuItemCount.USER32(?), ref: 00768EEC
                                            • GetMenuItemID.USER32(?,00000000), ref: 00768EFC
                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00768F2E
                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00768F70
                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00768FA1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                            • String ID: 0
                                            • API String ID: 1026556194-4108050209
                                            • Opcode ID: 45b5b679268920d6fd6ee1d53169dd808e248b1431f410fb6b3894b12d4fc27a
                                            • Instruction ID: 10a2a4f5845e8c3d90b36a96496ba7b2a45b6c59256668b71782eab77808b2e2
                                            • Opcode Fuzzy Hash: 45b5b679268920d6fd6ee1d53169dd808e248b1431f410fb6b3894b12d4fc27a
                                            • Instruction Fuzzy Hash: 8F81E071508301AFDB50CF24C884AAB7BE9FF88314F144A1DFD9697291DB79E904CB66
                                            APIs
                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0075CC64
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0075CC8D
                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0075CD48
                                              • Part of subcall function 0075CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0075CCAA
                                              • Part of subcall function 0075CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0075CCBD
                                              • Part of subcall function 0075CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0075CCCF
                                              • Part of subcall function 0075CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0075CD05
                                              • Part of subcall function 0075CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0075CD28
                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0075CCF3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                            • API String ID: 2734957052-4033151799
                                            • Opcode ID: 57230b7916e5c44c7b99b1be2f0fb1987dc9807ef0004c05555a77df9ebdcab5
                                            • Instruction ID: b8ba0860d2586482295cdb6391ca90cd043205d7a179a3e936eb068bd3f112d6
                                            • Opcode Fuzzy Hash: 57230b7916e5c44c7b99b1be2f0fb1987dc9807ef0004c05555a77df9ebdcab5
                                            • Instruction Fuzzy Hash: AF3170B1A01318BFDB229B90DC88EFFBB7CEF05741F004165E906E6140D6B89E49DAB4
                                            APIs
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0073EA5D
                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0073EA73
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073EA84
                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0073EA96
                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0073EAA7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: SendString$_wcslen
                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                            • API String ID: 2420728520-1007645807
                                            • Opcode ID: 7bf90f6dafb71b8cf3497a45f062c5af8be2aaa790c8b2f9799816e7afe02a1a
                                            • Instruction ID: 8c738fe0caa5d1a88ce1add17fe38ff80b08772ae4c49754e8bac7581892db83
                                            • Opcode Fuzzy Hash: 7bf90f6dafb71b8cf3497a45f062c5af8be2aaa790c8b2f9799816e7afe02a1a
                                            • Instruction Fuzzy Hash: C6117371A5026979EB20A7A2EC4AEFF6B7CEBD1F50F00452EB401A21D1EEB45D05C5B0
                                            APIs
                                              • Part of subcall function 006E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006E8BE8,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 006E8FC5
                                            • DestroyWindow.USER32(?), ref: 006E8C81
                                            • KillTimer.USER32(00000000,?,?,?,?,006E8BBA,00000000,?), ref: 006E8D1B
                                            • DestroyAcceleratorTable.USER32(00000000), ref: 00726973
                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 007269A1
                                            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 007269B8
                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006E8BBA,00000000), ref: 007269D4
                                            • DeleteObject.GDI32(00000000), ref: 007269E6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                            • String ID:
                                            • API String ID: 641708696-0
                                            • Opcode ID: 4bb26aec956ead845dbad22fb697a3635e9652425212de7769618bfd86d23a28
                                            • Instruction ID: c532157a4ffe608edce663264216bfb64cc7f2faa5811376aa32e0b3253d1f69
                                            • Opcode Fuzzy Hash: 4bb26aec956ead845dbad22fb697a3635e9652425212de7769618bfd86d23a28
                                            • Instruction Fuzzy Hash: E861AF30003790DFDB229F16D94872677F2FB82712F64851DE0869B660CB79B981CF98
                                            APIs
                                              • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
                                            • GetSysColor.USER32(0000000F), ref: 006E9862
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ColorLongWindow
                                            • String ID:
                                            • API String ID: 259745315-0
                                            • Opcode ID: f2cb288920d473719dd114cdb5f38dd60a17ceecf1f6f24acf7a6f9c6bf5cb41
                                            • Instruction ID: f2ec25cf4292dc54dc20e237437823fe99ca42be3dae8a77c56f510eeffe5df2
                                            • Opcode Fuzzy Hash: f2cb288920d473719dd114cdb5f38dd60a17ceecf1f6f24acf7a6f9c6bf5cb41
                                            • Instruction Fuzzy Hash: 8B41E2311017949FDB255F399C84BBA3B66AF06330F248A05F9A28B2F2D3749C42DB21
                                            APIs
                                            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00765186
                                            • ShowWindow.USER32(?,00000000), ref: 007651C7
                                            • ShowWindow.USER32(?,00000005,?,00000000), ref: 007651CD
                                            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 007651D1
                                              • Part of subcall function 00766FBA: DeleteObject.GDI32(00000000), ref: 00766FE6
                                            • GetWindowLongW.USER32(?,000000F0), ref: 0076520D
                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0076521A
                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0076524D
                                            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00765287
                                            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00765296
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                            • String ID: @U=u
                                            • API String ID: 3210457359-2594219639
                                            • Opcode ID: 623fea6e7e9f8b648037a5c459cf90159b9ed8ee681cd02ee3d60994a4558418
                                            • Instruction ID: 8bdb8b99762e30df70c46ed8709839f7201a762aca9e505ea10b152bf054ec04
                                            • Opcode Fuzzy Hash: 623fea6e7e9f8b648037a5c459cf90159b9ed8ee681cd02ee3d60994a4558418
                                            • Instruction Fuzzy Hash: 0A519270A41A08FEEF249F28CC59BD93B65FB06321F148111FD17962E0C3BDA990EB55
                                            APIs
                                            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00726890
                                            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007268A9
                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007268B9
                                            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007268D1
                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007268F2
                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00726901
                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0072691E
                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0072692D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Icon$DestroyExtractImageLoadMessageSend
                                            • String ID: @U=u
                                            • API String ID: 1268354404-2594219639
                                            • Opcode ID: d6b9c59ff612a45e63d3e0f52d23b6f980a4598fa293e220072b0de570e12e60
                                            • Instruction ID: a5536db9ac273d6ff36c92aff29d4a13d05fd7370b0bb7d3c9081560d95670b3
                                            • Opcode Fuzzy Hash: d6b9c59ff612a45e63d3e0f52d23b6f980a4598fa293e220072b0de570e12e60
                                            • Instruction Fuzzy Hash: BE51A870600349EFDB20CF25CC95BAA7BB6EF88350F108519F946972A0DBB8E991DB50
                                            APIs
                                              • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                              • Part of subcall function 006E912D: GetCursorPos.USER32(?), ref: 006E9141
                                              • Part of subcall function 006E912D: ScreenToClient.USER32(00000000,?), ref: 006E915E
                                              • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000001), ref: 006E9183
                                              • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000002), ref: 006E919D
                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00768B6B
                                            • ImageList_EndDrag.COMCTL32 ref: 00768B71
                                            • ReleaseCapture.USER32 ref: 00768B77
                                            • SetWindowTextW.USER32(?,00000000), ref: 00768C12
                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00768C25
                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00768CFF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u$p#z
                                            • API String ID: 1924731296-2216445195
                                            • Opcode ID: 105e966c8625a300dad8d4e9fff1e06e976d3a08f5724767546cc1fe3ba4b12c
                                            • Instruction ID: 0427278163f4a04506eda5804f82da71ebc179f050c7d3a8171f01216d4815d6
                                            • Opcode Fuzzy Hash: 105e966c8625a300dad8d4e9fff1e06e976d3a08f5724767546cc1fe3ba4b12c
                                            • Instruction Fuzzy Hash: 4D51AB70504340AFE744DF14DC5AFAA77E5FB88710F40062EF996972A2CB78AD04CB66
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0071F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00739717
                                            • LoadStringW.USER32(00000000,?,0071F7F8,00000001), ref: 00739720
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0071F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00739742
                                            • LoadStringW.USER32(00000000,?,0071F7F8,00000001), ref: 00739745
                                            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00739866
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: HandleLoadModuleString$Message_wcslen
                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                            • API String ID: 747408836-2268648507
                                            • Opcode ID: ad70a27cdd0b9defa201e3b96c2414ffbe8a1916a6d742e2a9859150fee3fc95
                                            • Instruction ID: b73178ec05fd28a1bbcd66298862a916ee90a2b44c65ef12ab536a63cca4b8ad
                                            • Opcode Fuzzy Hash: ad70a27cdd0b9defa201e3b96c2414ffbe8a1916a6d742e2a9859150fee3fc95
                                            • Instruction Fuzzy Hash: EB416F72D00219AADF44EBE0DE86DEE7379AF55740F10012AF60172292EB796F48CB75
                                            APIs
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007307A2
                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007307BE
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007307DA
                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00730804
                                            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0073082C
                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00730837
                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0073083C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                            • API String ID: 323675364-22481851
                                            • Opcode ID: ce43b72e09e6513090f05cd4315410f2b2f176549ced7d58ffa8b4fc0e309fd6
                                            • Instruction ID: 95c8acfcb59d74591375d26b5b1ddc976a2b038311719d0d3ca05f91431dd805
                                            • Opcode Fuzzy Hash: ce43b72e09e6513090f05cd4315410f2b2f176549ced7d58ffa8b4fc0e309fd6
                                            • Instruction Fuzzy Hash: 4E413872C10229ABDF15EBA4DC95CFDB779FF04350F04412AE901A32A1EB74AE04CBA4
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 00747AF3
                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00747B8F
                                            • SHGetDesktopFolder.SHELL32(?), ref: 00747BA3
                                            • CoCreateInstance.OLE32(0076FD08,00000000,00000001,00796E6C,?), ref: 00747BEF
                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00747C74
                                            • CoTaskMemFree.OLE32(?,?), ref: 00747CCC
                                            • SHBrowseForFolderW.SHELL32(?), ref: 00747D57
                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00747D7A
                                            • CoTaskMemFree.OLE32(00000000), ref: 00747D81
                                            • CoTaskMemFree.OLE32(00000000), ref: 00747DD6
                                            • CoUninitialize.OLE32 ref: 00747DDC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                            • String ID:
                                            • API String ID: 2762341140-0
                                            • Opcode ID: 879ef35cbceab648df38d857a0761e26fb3faf1e4c8c6cfaf6cd12d946500574
                                            • Instruction ID: 88fa4f46b2ed3f8bcd1c0b43ce7eeebb851591999076f28b77f8412965df9cd9
                                            • Opcode Fuzzy Hash: 879ef35cbceab648df38d857a0761e26fb3faf1e4c8c6cfaf6cd12d946500574
                                            • Instruction Fuzzy Hash: 0DC12B75A04209AFCB14DFA4C884DAEBBF9FF48314B148499E81A9B361DB34ED45CF94
                                            APIs
                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0072FAAF
                                            • SafeArrayAllocData.OLEAUT32(?), ref: 0072FB08
                                            • VariantInit.OLEAUT32(?), ref: 0072FB1A
                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 0072FB3A
                                            • VariantCopy.OLEAUT32(?,?), ref: 0072FB8D
                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 0072FBA1
                                            • VariantClear.OLEAUT32(?), ref: 0072FBB6
                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 0072FBC3
                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0072FBCC
                                            • VariantClear.OLEAUT32(?), ref: 0072FBDE
                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0072FBE9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                            • String ID:
                                            • API String ID: 2706829360-0
                                            • Opcode ID: 087bfa131f44d690eacc3a97a6ded732074b4658513fc3f214a4300d00ee15d7
                                            • Instruction ID: 510550fcb4b1984d36b7978bfcc8d2588bb2ad7a7bbf485244397592e94b6b2f
                                            • Opcode Fuzzy Hash: 087bfa131f44d690eacc3a97a6ded732074b4658513fc3f214a4300d00ee15d7
                                            • Instruction Fuzzy Hash: 26418E75A00269DFCB01DF64D8589AEBFB9EF08354F00C039E946A7261CB78A945CFA4
                                            APIs
                                            • WSAStartup.WSOCK32(00000101,?), ref: 007505BC
                                            • inet_addr.WSOCK32(?), ref: 0075061C
                                            • gethostbyname.WSOCK32(?), ref: 00750628
                                            • IcmpCreateFile.IPHLPAPI ref: 00750636
                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007506C6
                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007506E5
                                            • IcmpCloseHandle.IPHLPAPI(?), ref: 007507B9
                                            • WSACleanup.WSOCK32 ref: 007507BF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                            • String ID: Ping
                                            • API String ID: 1028309954-2246546115
                                            • Opcode ID: 4e5f955fab46c554e2800c6737d06e0de2383736fa49f45061e7bfe525f2f7b1
                                            • Instruction ID: feb911616852a11f65a144d2db004482e7efd395c37ba8469346978a71fce0e8
                                            • Opcode Fuzzy Hash: 4e5f955fab46c554e2800c6737d06e0de2383736fa49f45061e7bfe525f2f7b1
                                            • Instruction Fuzzy Hash: 7B918D755042019FD720CF15C488F5ABBE1EF48318F1489A9E86A8B7A2D7B8ED49CFD1
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$BuffCharLower
                                            • String ID: cdecl$none$stdcall$winapi
                                            • API String ID: 707087890-567219261
                                            • Opcode ID: 5c643f9dc279783118a9dc3de1e2d3a1fd070a837c8a66843c51095ff92acf33
                                            • Instruction ID: a7b34931148121a93e99812c5ecf47b64bce4b8377e0ade6bc4057e9b4f34c78
                                            • Opcode Fuzzy Hash: 5c643f9dc279783118a9dc3de1e2d3a1fd070a837c8a66843c51095ff92acf33
                                            • Instruction Fuzzy Hash: 8751AE31A001169BCB94DF68C8419FEB3B2AF69721B204229E866F7284DFB9DD44C791
                                            APIs
                                            • CoInitialize.OLE32 ref: 00753774
                                            • CoUninitialize.OLE32 ref: 0075377F
                                            • CoCreateInstance.OLE32(?,00000000,00000017,0076FB78,?), ref: 007537D9
                                            • IIDFromString.OLE32(?,?), ref: 0075384C
                                            • VariantInit.OLEAUT32(?), ref: 007538E4
                                            • VariantClear.OLEAUT32(?), ref: 00753936
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                            • API String ID: 636576611-1287834457
                                            • Opcode ID: 4cc741089aa3eeca5cf264f1aa6b29aff0cb5bc83ac1cd052b50c9dec4f16bd3
                                            • Instruction ID: 463e6d4598e71809c39e55dd969ee3055a8d7088d5a7e92745fe8f3fa9fb499c
                                            • Opcode Fuzzy Hash: 4cc741089aa3eeca5cf264f1aa6b29aff0cb5bc83ac1cd052b50c9dec4f16bd3
                                            • Instruction Fuzzy Hash: 1861C4B06083019FD315DF54C889FAABBE4EF48755F00490DF985972A1D7B8EE48CBA6
                                            APIs
                                            • SetWindowLongW.USER32(?,000000EB), ref: 006D5C7A
                                              • Part of subcall function 006D5D0A: GetClientRect.USER32(?,?), ref: 006D5D30
                                              • Part of subcall function 006D5D0A: GetWindowRect.USER32(?,?), ref: 006D5D71
                                              • Part of subcall function 006D5D0A: ScreenToClient.USER32(?,?), ref: 006D5D99
                                            • GetDC.USER32 ref: 007146F5
                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00714708
                                            • SelectObject.GDI32(00000000,00000000), ref: 00714716
                                            • SelectObject.GDI32(00000000,00000000), ref: 0071472B
                                            • ReleaseDC.USER32(?,00000000), ref: 00714733
                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007147C4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                            • String ID: @U=u$U
                                            • API String ID: 4009187628-4110099822
                                            • Opcode ID: bd4fbbfd26edb954e1b415a4186b5d3f5323206b42ef5421f56b6b6277849dca
                                            • Instruction ID: c93a29ae5c24e2397aebaa55694c1800c22f43e1d9e75eaa266f2639d9a167bf
                                            • Opcode Fuzzy Hash: bd4fbbfd26edb954e1b415a4186b5d3f5323206b42ef5421f56b6b6277849dca
                                            • Instruction Fuzzy Hash: A371E131900205DFCF218F68C984AFA3BB6FF4A365F14426AED565A2E6C7399C81DF50
                                            APIs
                                            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007433CF
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007433F0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LoadString$_wcslen
                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                            • API String ID: 4099089115-3080491070
                                            • Opcode ID: 11c4f676d3760505b31435c7ba2d566d9e716bfbe4b2de4f5989ba49c6c02af4
                                            • Instruction ID: a179a63fe67848d848bab646894733614720871dcb4199b9bc08650f7e9364d0
                                            • Opcode Fuzzy Hash: 11c4f676d3760505b31435c7ba2d566d9e716bfbe4b2de4f5989ba49c6c02af4
                                            • Instruction Fuzzy Hash: 3E51F471D00219AAEF15EBE0DD46EEEB779EF04340F10416AF10572252EB392F58DB65
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$BuffCharUpper
                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                            • API String ID: 1256254125-769500911
                                            • Opcode ID: 5aa0e9982f3e774866ad0446cf34bef2aa17330b8e9f8bbb5af3296760146114
                                            • Instruction ID: bcff0bc1f5e9aa95ec3128bd82eed675067377857034562d704d549b8473f148
                                            • Opcode Fuzzy Hash: 5aa0e9982f3e774866ad0446cf34bef2aa17330b8e9f8bbb5af3296760146114
                                            • Instruction Fuzzy Hash: 27410632A01026DBDB205F7DC8925BE77A5AFA1754F24422AE621DB287E739CD81C790
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 007453A0
                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00745416
                                            • GetLastError.KERNEL32 ref: 00745420
                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 007454A7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Error$Mode$DiskFreeLastSpace
                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                            • API String ID: 4194297153-14809454
                                            • Opcode ID: 9f732e74d15cd74c6a5dc1c8ca7b74b3e253f004fedcd62343a2a524719d2b2f
                                            • Instruction ID: 1cc20de00ed15d343bb3e455532a33f1a24b0991f87a91e164da613ff53cf3b2
                                            • Opcode Fuzzy Hash: 9f732e74d15cd74c6a5dc1c8ca7b74b3e253f004fedcd62343a2a524719d2b2f
                                            • Instruction Fuzzy Hash: 4231A075A006449FCB11DF6CD484AAA7BB4EF05305F148169E806CF393DB79DD82CB91
                                            APIs
                                            • DeleteObject.GDI32(00000000), ref: 00762D1B
                                            • GetDC.USER32(00000000), ref: 00762D23
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00762D2E
                                            • ReleaseDC.USER32(00000000,00000000), ref: 00762D3A
                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00762D76
                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00762D87
                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00765A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00762DC2
                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00762DE1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                            • String ID: @U=u
                                            • API String ID: 3864802216-2594219639
                                            • Opcode ID: 2eca772ffb24327bd19ee26f9e20a0da3daa88bd3f8c08ae26a0a95bf0d7b13c
                                            • Instruction ID: e59e62a9a3103ee56d2bdecc53e4818e11792e9de70ddbf83036de619ca0352e
                                            • Opcode Fuzzy Hash: 2eca772ffb24327bd19ee26f9e20a0da3daa88bd3f8c08ae26a0a95bf0d7b13c
                                            • Instruction Fuzzy Hash: F5319172201614BFEB154F50CC49FFB3BADEF09715F044055FE499A192C6B99C41CBA8
                                            APIs
                                            • GetParent.USER32 ref: 007320AB
                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 007320C0
                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0073214D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameParentSend
                                            • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                            • API String ID: 1290815626-1428604138
                                            • Opcode ID: f107ac6b18a28d8a41e2f7b7e177f5c65d3bf0f582e46efe92c045a524f06f60
                                            • Instruction ID: 8dfd014febe5f36b1f5b6f436b1fbff5c0959fcdb5cac0f76a40a8e2bfdff386
                                            • Opcode Fuzzy Hash: f107ac6b18a28d8a41e2f7b7e177f5c65d3bf0f582e46efe92c045a524f06f60
                                            • Instruction Fuzzy Hash: 8A11E3B668871EB9FA022224ED06DB7379CCB04324F20015AFB05A50E7FEA969035618
                                            APIs
                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00763A9D
                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00763AA0
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00763AC7
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00763AEA
                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00763B62
                                            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00763BAC
                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00763BC7
                                            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00763BE2
                                            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00763BF6
                                            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00763C13
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$LongWindow
                                            • String ID:
                                            • API String ID: 312131281-0
                                            • Opcode ID: 06fecd392efad6acfc20318499c4c7634008b34adbf417c5e8e45a513dab8665
                                            • Instruction ID: 585b4753c3fc8015170728b2b2a26f47687aceef2413ce54bc42cf5aedaaa587
                                            • Opcode Fuzzy Hash: 06fecd392efad6acfc20318499c4c7634008b34adbf417c5e8e45a513dab8665
                                            • Instruction Fuzzy Hash: 21618C75900248AFDB11DFA8CC81EEE77B8EF49700F104199FA16E72A1C778AE45DB64
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 0073B151
                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B165
                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0073B16C
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B17B
                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0073B18D
                                            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B1A6
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B1B8
                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B1FD
                                            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B212
                                            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0073A1E1,?,00000001), ref: 0073B21D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                            • String ID:
                                            • API String ID: 2156557900-0
                                            • Opcode ID: 8bc8d425edd1d41f61a2257762b6e352dcb323e8b8c58ef0a1e890fa13140902
                                            • Instruction ID: 7220ce584162416e83be6269efb496293819f43cae6a7950a89e792d5cb05483
                                            • Opcode Fuzzy Hash: 8bc8d425edd1d41f61a2257762b6e352dcb323e8b8c58ef0a1e890fa13140902
                                            • Instruction Fuzzy Hash: FE317C75500308BFEB119F64DC49B7FBBAABB92311F10C115FA06DA192D7BC9A408F68
                                            APIs
                                            • _free.LIBCMT ref: 00702C94
                                              • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                              • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                            • _free.LIBCMT ref: 00702CA0
                                            • _free.LIBCMT ref: 00702CAB
                                            • _free.LIBCMT ref: 00702CB6
                                            • _free.LIBCMT ref: 00702CC1
                                            • _free.LIBCMT ref: 00702CCC
                                            • _free.LIBCMT ref: 00702CD7
                                            • _free.LIBCMT ref: 00702CE2
                                            • _free.LIBCMT ref: 00702CED
                                            • _free.LIBCMT ref: 00702CFB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 6935c87624f14a5b7efff48327b01aa265184bce4f8e246b693c8540741c1431
                                            • Instruction ID: 43a0959efaac3c4b7e5f12627f2c72cc55203aa6845d242f33339e1b85032b3b
                                            • Opcode Fuzzy Hash: 6935c87624f14a5b7efff48327b01aa265184bce4f8e246b693c8540741c1431
                                            • Instruction Fuzzy Hash: 00119676110108EFCB02EF54D84ACDD3BA9FF05350F6146A5F9486B272D635FA519F90
                                            APIs
                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006D1459
                                            • OleUninitialize.OLE32(?,00000000), ref: 006D14F8
                                            • UnregisterHotKey.USER32(?), ref: 006D16DD
                                            • DestroyWindow.USER32(?), ref: 007124B9
                                            • FreeLibrary.KERNEL32(?), ref: 0071251E
                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0071254B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                            • String ID: close all
                                            • API String ID: 469580280-3243417748
                                            • Opcode ID: f8528d61acb9b465ab14cf9e9a8a83b0a62fee49c2dc7a5d83d2d918fad141a9
                                            • Instruction ID: c17395baa87b00ac904a9ad7e1a1b948bdfc85369b5e74a749bd6d1861ab054b
                                            • Opcode Fuzzy Hash: f8528d61acb9b465ab14cf9e9a8a83b0a62fee49c2dc7a5d83d2d918fad141a9
                                            • Instruction Fuzzy Hash: 4FD16D31B01212DFCB19EF19C495A69F7A2BF05700F1441AEE84A6B3A2DB74AD63CF54
                                            APIs
                                            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007435E4
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • LoadStringW.USER32(007A2390,?,00000FFF,?), ref: 0074360A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LoadString$_wcslen
                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                            • API String ID: 4099089115-2391861430
                                            • Opcode ID: e6843ccafa7dc83a76a1f58f778c6ec9a96e818ecabc30bf7f424f80c08a0002
                                            • Instruction ID: c37b5d2820cea2601d1c3ef607c6a45cb201f7257c41707420e4e929b4182f98
                                            • Opcode Fuzzy Hash: e6843ccafa7dc83a76a1f58f778c6ec9a96e818ecabc30bf7f424f80c08a0002
                                            • Instruction Fuzzy Hash: C1517171D00259BADF15EBA0DC46EEDBB39AF04300F14412AF505722A1DB751B98DFA5
                                            APIs
                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00763925
                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0076393A
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00763954
                                            • _wcslen.LIBCMT ref: 00763999
                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 007639C6
                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007639F4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window_wcslen
                                            • String ID: @U=u$SysListView32
                                            • API String ID: 2147712094-1908207174
                                            • Opcode ID: 5c7dcfc4952fdc0402e8fbca96f5d5dd2ce03124b1360d96417510374086a4bd
                                            • Instruction ID: b19383b339d33875891d6c9d52597726938d4ef7b59656340d169247639685a7
                                            • Opcode Fuzzy Hash: 5c7dcfc4952fdc0402e8fbca96f5d5dd2ce03124b1360d96417510374086a4bd
                                            • Instruction Fuzzy Hash: 6441D871A00319ABEF219F64CC49FEA77A9EF08354F10016AF955E7281D7B99D80CB94
                                            APIs
                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00762E1C
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00762E4F
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00762E84
                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00762EB6
                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00762EE0
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00762EF1
                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00762F0B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LongWindow$MessageSend
                                            • String ID: @U=u
                                            • API String ID: 2178440468-2594219639
                                            • Opcode ID: 7a5ad5d8c28bb9b865106da4adab3ab8c8fc295b98a752fb29028662771842c9
                                            • Instruction ID: b9434c6ee2478be88427f775a08e3c143a25a46c4fd52119f2fb3df546c61c9b
                                            • Opcode Fuzzy Hash: 7a5ad5d8c28bb9b865106da4adab3ab8c8fc295b98a752fb29028662771842c9
                                            • Instruction Fuzzy Hash: C23139306446409FEB61CF58DC88F6537E0FB9A710F1541A5F9529F2B2CBBAAC41DB09
                                            APIs
                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074C272
                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0074C29A
                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0074C2CA
                                            • GetLastError.KERNEL32 ref: 0074C322
                                            • SetEvent.KERNEL32(?), ref: 0074C336
                                            • InternetCloseHandle.WININET(00000000), ref: 0074C341
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                            • String ID:
                                            • API String ID: 3113390036-3916222277
                                            • Opcode ID: 0c5acad495dd7ddf09b2099c0a44ef209630204c09c445ec2434493035c1d27e
                                            • Instruction ID: b6dc6416ff79f7a39856ffcb307c316dc0c164a0353473d73fd3f198d18aef88
                                            • Opcode Fuzzy Hash: 0c5acad495dd7ddf09b2099c0a44ef209630204c09c445ec2434493035c1d27e
                                            • Instruction Fuzzy Hash: 49317CB1601308AFD7629FA5CC88ABB7BFCEB49744F14851EF486D2210DB78DD049B65
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00713AAF,?,?,Bad directive syntax error,0076CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007398BC
                                            • LoadStringW.USER32(00000000,?,00713AAF,?), ref: 007398C3
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00739987
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: HandleLoadMessageModuleString_wcslen
                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                            • API String ID: 858772685-4153970271
                                            • Opcode ID: a9e269a17ab2d6e4b35a7943a4fb53368661db7443857effa26837f5dc1a28be
                                            • Instruction ID: 7928cdc2cf152a5156d6d48401b141ff6506439a16a4085b603d4843ce78d35e
                                            • Opcode Fuzzy Hash: a9e269a17ab2d6e4b35a7943a4fb53368661db7443857effa26837f5dc1a28be
                                            • Instruction Fuzzy Hash: D521B471D0025EEBDF15AF90CC06EED7736FF18300F04441AF515661A2DB79A628DB25
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                            • String ID:
                                            • API String ID: 1282221369-0
                                            • Opcode ID: 98eaf1aa8db762972f091f95f26b90050fa767fb2b08d1bb0985a8c7704c0b8d
                                            • Instruction ID: 2fc5c6819e06a99f8a3af5397176a69a7ca00f161ca8030ff2e4312c7df0eaa8
                                            • Opcode Fuzzy Hash: 98eaf1aa8db762972f091f95f26b90050fa767fb2b08d1bb0985a8c7704c0b8d
                                            • Instruction Fuzzy Hash: 78614973A04302EFDB22AFB4D88966E7BE5AF05310F14476DF945A72C2D63DAD018791
                                            APIs
                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0074C182
                                            • GetLastError.KERNEL32 ref: 0074C195
                                            • SetEvent.KERNEL32(?), ref: 0074C1A9
                                              • Part of subcall function 0074C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074C272
                                              • Part of subcall function 0074C253: GetLastError.KERNEL32 ref: 0074C322
                                              • Part of subcall function 0074C253: SetEvent.KERNEL32(?), ref: 0074C336
                                              • Part of subcall function 0074C253: InternetCloseHandle.WININET(00000000), ref: 0074C341
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                            • String ID:
                                            • API String ID: 337547030-0
                                            • Opcode ID: 0680e363e104d739e0b94aee18874776dc03688f1318fa73f1858981511b0b0e
                                            • Instruction ID: 98ef851e4a431c5ce2d4ef5473934a91c362f7f8047d6e0182cb193791330184
                                            • Opcode Fuzzy Hash: 0680e363e104d739e0b94aee18874776dc03688f1318fa73f1858981511b0b0e
                                            • Instruction Fuzzy Hash: DD31AF71202745EFDB629FB5DC04A76BBF8FF18300B04842DF99686620D7B9E8149B60
                                            APIs
                                              • Part of subcall function 00733A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733A57
                                              • Part of subcall function 00733A3D: GetCurrentThreadId.KERNEL32 ref: 00733A5E
                                              • Part of subcall function 00733A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007325B3), ref: 00733A65
                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 007325BD
                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007325DB
                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007325DF
                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 007325E9
                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00732601
                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00732605
                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 0073260F
                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00732623
                                            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00732627
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                            • String ID:
                                            • API String ID: 2014098862-0
                                            • Opcode ID: e9c4d3b46787181fda0e4f9fc104202ad761656a1e39a24fe3e88b9f6e2d7599
                                            • Instruction ID: 58749824395ef0a3cd213885e9637fcb0f503eef39c5a056950e5e8f64cbda7a
                                            • Opcode Fuzzy Hash: e9c4d3b46787181fda0e4f9fc104202ad761656a1e39a24fe3e88b9f6e2d7599
                                            • Instruction Fuzzy Hash: 0901B170390314BBFB206768DC8FF693E59DB4AB12F104041F359AE0E2C9EA28458A6D
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00731449,?,?,00000000), ref: 0073180C
                                            • HeapAlloc.KERNEL32(00000000,?,00731449,?,?,00000000), ref: 00731813
                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00731449,?,?,00000000), ref: 00731828
                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00731449,?,?,00000000), ref: 00731830
                                            • DuplicateHandle.KERNEL32(00000000,?,00731449,?,?,00000000), ref: 00731833
                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00731449,?,?,00000000), ref: 00731843
                                            • GetCurrentProcess.KERNEL32(00731449,00000000,?,00731449,?,?,00000000), ref: 0073184B
                                            • DuplicateHandle.KERNEL32(00000000,?,00731449,?,?,00000000), ref: 0073184E
                                            • CreateThread.KERNEL32(00000000,00000000,00731874,00000000,00000000,00000000), ref: 00731868
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                            • String ID:
                                            • API String ID: 1957940570-0
                                            • Opcode ID: bba34851ef44c44349ff529f565cf02bcadf1eb55fc13f5368194b4992b6db62
                                            • Instruction ID: 7af4586682d79fdd02922e4202f9aea89e0a75d119d406d5ee64f6d68ef4e480
                                            • Opcode Fuzzy Hash: bba34851ef44c44349ff529f565cf02bcadf1eb55fc13f5368194b4992b6db62
                                            • Instruction Fuzzy Hash: DE01BFB5240348BFE711AB65DC4EF673B6CEB8AB11F418411FA45DB191C6B59C00CB34
                                            APIs
                                              • Part of subcall function 0073D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0073D501
                                              • Part of subcall function 0073D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0073D50F
                                              • Part of subcall function 0073D4DC: CloseHandle.KERNEL32(00000000), ref: 0073D5DC
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075A16D
                                            • GetLastError.KERNEL32 ref: 0075A180
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075A1B3
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0075A268
                                            • GetLastError.KERNEL32(00000000), ref: 0075A273
                                            • CloseHandle.KERNEL32(00000000), ref: 0075A2C4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                            • String ID: SeDebugPrivilege
                                            • API String ID: 2533919879-2896544425
                                            • Opcode ID: a113764b83badd6d8d7ccc8dffd7bd66d3a5f4dd373e8a4efb2b348a3950ccb6
                                            • Instruction ID: 2d5076510f2ac23343b7d3232febcbdc6b508e1886fbf137faa63d9ed84abe1f
                                            • Opcode Fuzzy Hash: a113764b83badd6d8d7ccc8dffd7bd66d3a5f4dd373e8a4efb2b348a3950ccb6
                                            • Instruction Fuzzy Hash: E761B171204242AFD710DF19C495F65BBE1BF84318F14859CE8568B7A3C7BAEC49CB92
                                            APIs
                                            • _ValidateLocalCookies.LIBCMT ref: 006F2D4B
                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 006F2D53
                                            • _ValidateLocalCookies.LIBCMT ref: 006F2DE1
                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 006F2E0C
                                            • _ValidateLocalCookies.LIBCMT ref: 006F2E61
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                            • String ID: &Ho$csm
                                            • API String ID: 1170836740-2077702024
                                            • Opcode ID: f6a94c6f19235291afb56e7521eb9cc2da098255eacefc04e7aa7ffc6c5fd22d
                                            • Instruction ID: f703c9eea8bb3f9fb39bf99ab3fd6a378596394a0355c0b63e31ddac373f0123
                                            • Opcode Fuzzy Hash: f6a94c6f19235291afb56e7521eb9cc2da098255eacefc04e7aa7ffc6c5fd22d
                                            • Instruction Fuzzy Hash: F141A434A0021EABCF10DF68C855AEEBBB6BF45354F148155EA14AB392D7359A11CFD0
                                            APIs
                                            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0072F3AB,00000000,?,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 0076824C
                                            • EnableWindow.USER32(00000000,00000000), ref: 00768272
                                            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 007682D1
                                            • ShowWindow.USER32(00000000,00000004), ref: 007682E5
                                            • EnableWindow.USER32(00000000,00000001), ref: 0076830B
                                            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0076832F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$Show$Enable$MessageSend
                                            • String ID: @U=u
                                            • API String ID: 642888154-2594219639
                                            • Opcode ID: 2ac1a5c29f5fe90d9aac1d4f4f798fbe6ce6075ddb300de8d99bb6ea6498d3be
                                            • Instruction ID: 496c3847ef0e472e8fc63a7f21895a7a5a06340e9cf15d6852dc64cdd15b8fdd
                                            • Opcode Fuzzy Hash: 2ac1a5c29f5fe90d9aac1d4f4f798fbe6ce6075ddb300de8d99bb6ea6498d3be
                                            • Instruction Fuzzy Hash: 7241E830601640EFDB56CF15C8A9BE87BE0FB46714F1843A9E94A4F272CB39A841CB46
                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 00734C95
                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00734CB2
                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00734CEA
                                            • _wcslen.LIBCMT ref: 00734D08
                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00734D10
                                            • _wcsstr.LIBVCRUNTIME ref: 00734D1A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                            • String ID: @U=u
                                            • API String ID: 72514467-2594219639
                                            • Opcode ID: e1b33a6a50da3755d2855762d284512cf059108c6a5027de7a80a892cef28342
                                            • Instruction ID: 652acf3116213d61dedf365a65aee826ed49ec27f3cca9cf57ff2e2045c466d2
                                            • Opcode Fuzzy Hash: e1b33a6a50da3755d2855762d284512cf059108c6a5027de7a80a892cef28342
                                            • Instruction Fuzzy Hash: B2212932305304BBFB195B35EC09E7B7B9DDF45750F10806DF905CA192EEA9EC0086A4
                                            APIs
                                            • LoadIconW.USER32(00000000,00007F03), ref: 0073C913
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: IconLoad
                                            • String ID: blank$info$question$stop$warning
                                            • API String ID: 2457776203-404129466
                                            • Opcode ID: 08e135b5ef8f20f1f7049caa3c0956f4cb09f55a839453ff335c4f3606bd45b9
                                            • Instruction ID: 7719464671d4327051e223bf23474e459e5ed616b19606c50cd7e6a43706e579
                                            • Opcode Fuzzy Hash: 08e135b5ef8f20f1f7049caa3c0956f4cb09f55a839453ff335c4f3606bd45b9
                                            • Instruction Fuzzy Hash: D511EB3268930ABEBB029B55AC82DAB779CDF15754F11006EF500B6183EBAD7F005368
                                            APIs
                                            • GetClientRect.USER32(?), ref: 00727452
                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00727469
                                            • GetWindowDC.USER32(?), ref: 00727475
                                            • GetPixel.GDI32(00000000,?,?), ref: 00727484
                                            • ReleaseDC.USER32(?,00000000), ref: 00727496
                                            • GetSysColor.USER32(00000005), ref: 007274B0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                            • String ID: @U=u
                                            • API String ID: 272304278-2594219639
                                            • Opcode ID: 56e8d662c2ec022928b0fc2c3a009533f9be6e994307af506aef4df51e9a94cc
                                            • Instruction ID: dcf92beec899307d520581f1c77654c3c05a388ef2c6bbd20112727ae290b071
                                            • Opcode Fuzzy Hash: 56e8d662c2ec022928b0fc2c3a009533f9be6e994307af506aef4df51e9a94cc
                                            • Instruction Fuzzy Hash: D801AD31400355EFEB126FA4EC08BBA7BB5FF04311F608060F956A21A1CB791E51EB54
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$LocalTime
                                            • String ID:
                                            • API String ID: 952045576-0
                                            • Opcode ID: e4b8644315091cb30925ac25193e0e5a6c09641022a926cd9cf728660350de70
                                            • Instruction ID: 953233d71ce4e2f53a67f8cd337d2b747e19839fe56707d770a17ad22f643e5b
                                            • Opcode Fuzzy Hash: e4b8644315091cb30925ac25193e0e5a6c09641022a926cd9cf728660350de70
                                            • Instruction Fuzzy Hash: 9D41B065D1021C75DB51EBB4C88A9DFB3AAAF45700F40846AF618E3162FB38E345C3E9
                                            APIs
                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 006EF953
                                            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 0072F3D1
                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 0072F454
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ShowWindow
                                            • String ID:
                                            • API String ID: 1268545403-0
                                            • Opcode ID: 184ced469cb754abed815b45902d6965275a994cd9434f4cb57d7512b3803563
                                            • Instruction ID: 062bb6544e084ecf765a34ef74093c6220656b5b4e65e697ae4fde4e97b97505
                                            • Opcode Fuzzy Hash: 184ced469cb754abed815b45902d6965275a994cd9434f4cb57d7512b3803563
                                            • Instruction Fuzzy Hash: 8F412A302197C0BBC7399B2AD88877A7BA3AB46310F15843DF0C757663C679A881CB51
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _memcmp
                                            • String ID:
                                            • API String ID: 2931989736-0
                                            • Opcode ID: f8a383b01382925de88b3a6bec6e558427d412a982814cdc32fd625fbda12b39
                                            • Instruction ID: a3821fdb972465b6239d3089ef810889410c7ee1e6a05f45d263ee81356c419d
                                            • Opcode Fuzzy Hash: f8a383b01382925de88b3a6bec6e558427d412a982814cdc32fd625fbda12b39
                                            • Instruction Fuzzy Hash: C92195F2644A19F7F21456209D93FBA235EAF217C4F840024FE059A586FB28ED10C2E9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: NULL Pointer assignment$Not an Object type
                                            • API String ID: 0-572801152
                                            • Opcode ID: 87b2b0174ad388886e10b65bd7169edea3a28595d43e8bf87582e4ebe632c31e
                                            • Instruction ID: c35b2652cbaf4d0dc1c6a0f84f1a077113bc1f6baf5f659c0d7a13d13f336851
                                            • Opcode Fuzzy Hash: 87b2b0174ad388886e10b65bd7169edea3a28595d43e8bf87582e4ebe632c31e
                                            • Instruction Fuzzy Hash: 7ED1D671A0060A9FDF10CFA8C891BEEB7B5BF48354F148069ED15AB281E7B4DD49CB90
                                            APIs
                                            • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007115CE
                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00711651
                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007117FB,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007116E4
                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007116FB
                                              • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00711777
                                            • __freea.LIBCMT ref: 007117A2
                                            • __freea.LIBCMT ref: 007117AE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                            • String ID:
                                            • API String ID: 2829977744-0
                                            • Opcode ID: aab147aaecb947bb0a71e2b8c7b8681f88a8f495e400caf70a91402220c61039
                                            • Instruction ID: d2d2d582cccc64d57dd6f074ab0d7af80b43fb83db76196ec2c143f09337c0c8
                                            • Opcode Fuzzy Hash: aab147aaecb947bb0a71e2b8c7b8681f88a8f495e400caf70a91402220c61039
                                            • Instruction Fuzzy Hash: 6191A571E102169ADB218E78CC45AEE7BB69F49710F984659EA01EF2C1DB3DDD80C760
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit
                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                            • API String ID: 2610073882-625585964
                                            • Opcode ID: 24203c5f55310adb8a3ffaa0afe5577bc168b8a15a2366ab0b76cb937141772f
                                            • Instruction ID: 4312fbc68a478a746e81e2f87e755001f8efa236fbb38830d26e8f835f4e9a57
                                            • Opcode Fuzzy Hash: 24203c5f55310adb8a3ffaa0afe5577bc168b8a15a2366ab0b76cb937141772f
                                            • Instruction Fuzzy Hash: EE91A471A00219ABDF24CFA5CC44FEE7BB8EF45715F108559F905AB280D7B89989CFA0
                                            APIs
                                            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0074125C
                                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00741284
                                            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007412A8
                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007412D8
                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0074135F
                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007413C4
                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00741430
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ArraySafe$Data$Access$UnaccessVartype
                                            • String ID:
                                            • API String ID: 2550207440-0
                                            • Opcode ID: 6574b68f10876c1e48cb1dd31a85b3af0d2b2be96a3f76e1d94924ba27f77129
                                            • Instruction ID: a2317020f907cf3f7b95684436d4509797e82e16ea7a1fde8206d1cb2cd6df47
                                            • Opcode Fuzzy Hash: 6574b68f10876c1e48cb1dd31a85b3af0d2b2be96a3f76e1d94924ba27f77129
                                            • Instruction Fuzzy Hash: D391F475A00219DFDB01EF98C884BBE77B5FF44324F548029EA51EB291D7BCA981CB94
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ObjectSelect$BeginCreatePath
                                            • String ID:
                                            • API String ID: 3225163088-0
                                            • Opcode ID: 16c06dcb0ebd52a45c32db97c2e5b955270900eabe12ec971a41447f058989b0
                                            • Instruction ID: 19f580b0c245ad83f8e8d802c037397c12a892cf10e1bf49b0ef69849a9c9685
                                            • Opcode Fuzzy Hash: 16c06dcb0ebd52a45c32db97c2e5b955270900eabe12ec971a41447f058989b0
                                            • Instruction Fuzzy Hash: AA914671D01259EFCB15CFAACC84AEEBBB9FF48320F148049E516B7251D378A942CB60
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 0075396B
                                            • CharUpperBuffW.USER32(?,?), ref: 00753A7A
                                            • _wcslen.LIBCMT ref: 00753A8A
                                            • VariantClear.OLEAUT32(?), ref: 00753C1F
                                              • Part of subcall function 00740CDF: VariantInit.OLEAUT32(00000000), ref: 00740D1F
                                              • Part of subcall function 00740CDF: VariantCopy.OLEAUT32(?,?), ref: 00740D28
                                              • Part of subcall function 00740CDF: VariantClear.OLEAUT32(?), ref: 00740D34
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                            • API String ID: 4137639002-1221869570
                                            • Opcode ID: a7cbad24f4df9ae44887431e5a47fd727101c57ee977313d44e3ca3931166d54
                                            • Instruction ID: 5d284730851b6570eed9cfbeeef0dfbfff5b826238345ecd082dbe18555951bd
                                            • Opcode Fuzzy Hash: a7cbad24f4df9ae44887431e5a47fd727101c57ee977313d44e3ca3931166d54
                                            • Instruction Fuzzy Hash: B491AE746083059FC704DF24C48086AB7E5FF88355F04892EF8899B361DB75EE09CB92
                                            APIs
                                              • Part of subcall function 0073000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?,?,0073035E), ref: 0073002B
                                              • Part of subcall function 0073000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730046
                                              • Part of subcall function 0073000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730054
                                              • Part of subcall function 0073000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?), ref: 00730064
                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00754C51
                                            • _wcslen.LIBCMT ref: 00754D59
                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00754DCF
                                            • CoTaskMemFree.OLE32(?), ref: 00754DDA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                            • String ID: NULL Pointer assignment
                                            • API String ID: 614568839-2785691316
                                            • Opcode ID: 8b1c8e9490ddc2d60c37645ed2d40e2a8827f06902028f16f7fc78fa5ab2ac12
                                            • Instruction ID: d78b41c4609d6784e53fbdf8502645fcea7b105df21da408e2e9b59d9c0b5954
                                            • Opcode Fuzzy Hash: 8b1c8e9490ddc2d60c37645ed2d40e2a8827f06902028f16f7fc78fa5ab2ac12
                                            • Instruction Fuzzy Hash: F1912671D0021DEFDF14DFA4D891AEEB7B9BF08314F10856AE915A7241DB749A48CFA0
                                            APIs
                                            • GetMenu.USER32(?), ref: 00762183
                                            • GetMenuItemCount.USER32(00000000), ref: 007621B5
                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007621DD
                                            • _wcslen.LIBCMT ref: 00762213
                                            • GetMenuItemID.USER32(?,?), ref: 0076224D
                                            • GetSubMenu.USER32(?,?), ref: 0076225B
                                              • Part of subcall function 00733A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733A57
                                              • Part of subcall function 00733A3D: GetCurrentThreadId.KERNEL32 ref: 00733A5E
                                              • Part of subcall function 00733A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007325B3), ref: 00733A65
                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007622E3
                                              • Part of subcall function 0073E97B: Sleep.KERNEL32 ref: 0073E9F3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                            • String ID:
                                            • API String ID: 4196846111-0
                                            • Opcode ID: e39c854b5b0ab6176a397d20943884785a44c58b1af20e6127804a2dc4ed8b93
                                            • Instruction ID: efdd7c7be3d1e1bba6bee4cdc73c57dc5c410da23ee467c2bff943000afaf806
                                            • Opcode Fuzzy Hash: e39c854b5b0ab6176a397d20943884785a44c58b1af20e6127804a2dc4ed8b93
                                            • Instruction Fuzzy Hash: 02719F35E00605AFCB54DF64C845AAEB7F6FF88320F158459E817EB352DB78AD428B90
                                            APIs
                                            • GetParent.USER32(?), ref: 0073AEF9
                                            • GetKeyboardState.USER32(?), ref: 0073AF0E
                                            • SetKeyboardState.USER32(?), ref: 0073AF6F
                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 0073AF9D
                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 0073AFBC
                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 0073AFFD
                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0073B020
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessagePost$KeyboardState$Parent
                                            • String ID:
                                            • API String ID: 87235514-0
                                            • Opcode ID: c6b0677d31a133b0d5b3dc77feeb8cfc124040251a42e2102a794be778532668
                                            • Instruction ID: 16a6b96ed0d673094e6aa13202e88f6780cdc55d6e41ce18a1dd90e1f356f48a
                                            • Opcode Fuzzy Hash: c6b0677d31a133b0d5b3dc77feeb8cfc124040251a42e2102a794be778532668
                                            • Instruction Fuzzy Hash: 9E5182A06047D63DFB364234C84ABBBBEA95B06304F088589E2D9594D3D3DDEDC8D751
                                            APIs
                                            • GetParent.USER32(00000000), ref: 0073AD19
                                            • GetKeyboardState.USER32(?), ref: 0073AD2E
                                            • SetKeyboardState.USER32(?), ref: 0073AD8F
                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0073ADBB
                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0073ADD8
                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0073AE17
                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0073AE38
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessagePost$KeyboardState$Parent
                                            • String ID:
                                            • API String ID: 87235514-0
                                            • Opcode ID: af5ae70e6b4cd819382befcc31a51b298cd98d25e86410dd415f496c1cd5ffad
                                            • Instruction ID: 0447e52ab97c429342cdcf0af972e4bdb83a60a4f4b22822ef6659b011641b9f
                                            • Opcode Fuzzy Hash: af5ae70e6b4cd819382befcc31a51b298cd98d25e86410dd415f496c1cd5ffad
                                            • Instruction Fuzzy Hash: 5551D2A1A547D53DFB378334CC57B7ABEA86B46300F088588E1D54A8C3D29CEC88D762
                                            APIs
                                            • GetConsoleCP.KERNEL32(00713CD6,?,?,?,?,?,?,?,?,00705BA3,?,?,00713CD6,?,?), ref: 00705470
                                            • __fassign.LIBCMT ref: 007054EB
                                            • __fassign.LIBCMT ref: 00705506
                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00713CD6,00000005,00000000,00000000), ref: 0070552C
                                            • WriteFile.KERNEL32(?,00713CD6,00000000,00705BA3,00000000,?,?,?,?,?,?,?,?,?,00705BA3,?), ref: 0070554B
                                            • WriteFile.KERNEL32(?,?,00000001,00705BA3,00000000,?,?,?,?,?,?,?,?,?,00705BA3,?), ref: 00705584
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                            • String ID:
                                            • API String ID: 1324828854-0
                                            • Opcode ID: 72148edba0950030cd261861e038906098e80c9f425ffcf3c2ccfba6e8bb0a1d
                                            • Instruction ID: 93e5faad942c77b0f136366034d5f8c680b91afc7a060824a6dc58f200d304ff
                                            • Opcode Fuzzy Hash: 72148edba0950030cd261861e038906098e80c9f425ffcf3c2ccfba6e8bb0a1d
                                            • Instruction Fuzzy Hash: 3351D1B0A00648DFDB11CFA8DC45AEEBBFAEF09300F14421AF546E3291E6349A51CF64
                                            APIs
                                            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00766C33
                                            • SetWindowLongW.USER32(?,000000EC,?), ref: 00766C4A
                                            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00766C73
                                            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0074AB79,00000000,00000000), ref: 00766C98
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00766CC7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$Long$MessageSendShow
                                            • String ID: @U=u
                                            • API String ID: 3688381893-2594219639
                                            • Opcode ID: 2ae6c83b692c4fab29c30d2e5702685eb0ebae28efb1b318aec5671e1f4f9a1c
                                            • Instruction ID: 8e2a43304c3b4aca464fda7e4930e3718abd7d3debbe045aa26bf52c66b0b581
                                            • Opcode Fuzzy Hash: 2ae6c83b692c4fab29c30d2e5702685eb0ebae28efb1b318aec5671e1f4f9a1c
                                            • Instruction Fuzzy Hash: E141E235600504AFD725CF28CC48FA57BA5EB09350F954268EC9AA72A0C379BD40CA64
                                            APIs
                                              • Part of subcall function 0075304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0075307A
                                              • Part of subcall function 0075304E: _wcslen.LIBCMT ref: 0075309B
                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00751112
                                            • WSAGetLastError.WSOCK32 ref: 00751121
                                            • WSAGetLastError.WSOCK32 ref: 007511C9
                                            • closesocket.WSOCK32(00000000), ref: 007511F9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                            • String ID:
                                            • API String ID: 2675159561-0
                                            • Opcode ID: cc31d782b140be486cd05b6e0f5af7f5728540ecf732877cb0a390cfa3051aa6
                                            • Instruction ID: feb7fcc3ecfa8e6373ac689c27c791dc93df588096a601cf97eda304a8dc937c
                                            • Opcode Fuzzy Hash: cc31d782b140be486cd05b6e0f5af7f5728540ecf732877cb0a390cfa3051aa6
                                            • Instruction Fuzzy Hash: 73412731600608AFDB109F24C884BE9B7EAEF44326F148099FD469B291C7B8ED45CBE5
                                            APIs
                                              • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0073CF22,?), ref: 0073DDFD
                                              • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0073CF22,?), ref: 0073DE16
                                            • lstrcmpiW.KERNEL32(?,?), ref: 0073CF45
                                            • MoveFileW.KERNEL32(?,?), ref: 0073CF7F
                                            • _wcslen.LIBCMT ref: 0073D005
                                            • _wcslen.LIBCMT ref: 0073D01B
                                            • SHFileOperationW.SHELL32(?), ref: 0073D061
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                            • String ID: \*.*
                                            • API String ID: 3164238972-1173974218
                                            • Opcode ID: 373d02fcb99c48e86bf8d21b40618f4b2438aaaa9cbbe721821abaf7dd37aecd
                                            • Instruction ID: 9601f03266f9bd683ce9cf6b0f7c8f76a9196e5331cd82915d131985145e2991
                                            • Opcode Fuzzy Hash: 373d02fcb99c48e86bf8d21b40618f4b2438aaaa9cbbe721821abaf7dd37aecd
                                            • Instruction Fuzzy Hash: 06414672D0521D9EEF16EBA4D985AEE77B9AF08340F0000E6E545EB142EB38AA44CF54
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00737769
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0073778F
                                            • SysAllocString.OLEAUT32(00000000), ref: 00737792
                                            • SysAllocString.OLEAUT32(?), ref: 007377B0
                                            • SysFreeString.OLEAUT32(?), ref: 007377B9
                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 007377DE
                                            • SysAllocString.OLEAUT32(?), ref: 007377EC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                            • String ID:
                                            • API String ID: 3761583154-0
                                            • Opcode ID: 6d8a0044614dce685c0d54dcf17bc6535bf8985875d79ea079fac4dce5aab014
                                            • Instruction ID: 905302cf645ea7bf19f148562bf9405b07415cf1316ca88ab69910b5868b256d
                                            • Opcode Fuzzy Hash: 6d8a0044614dce685c0d54dcf17bc6535bf8985875d79ea079fac4dce5aab014
                                            • Instruction Fuzzy Hash: 4721C4B6609219AFEF24DFA9CC88CBB77ACEB09364B008025F905DB151DAB8DC41C764
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00737842
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00737868
                                            • SysAllocString.OLEAUT32(00000000), ref: 0073786B
                                            • SysAllocString.OLEAUT32 ref: 0073788C
                                            • SysFreeString.OLEAUT32 ref: 00737895
                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 007378AF
                                            • SysAllocString.OLEAUT32(?), ref: 007378BD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                            • String ID:
                                            • API String ID: 3761583154-0
                                            • Opcode ID: 54950512331c161d40a1e58bdf7702105289d33c52871a141c5041afebd104b9
                                            • Instruction ID: e8c4cc6ed81ea05ec160518e5ebf34c4d69a3caa67b58542d631519cc673d62e
                                            • Opcode Fuzzy Hash: 54950512331c161d40a1e58bdf7702105289d33c52871a141c5041afebd104b9
                                            • Instruction Fuzzy Hash: 3921C771605305BFEB249FA9CC88DBA77ECEB09360B108025F955DB1A1DA78DC41CB68
                                            APIs
                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00765745
                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 0076579D
                                            • _wcslen.LIBCMT ref: 007657AF
                                            • _wcslen.LIBCMT ref: 007657BA
                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00765816
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$_wcslen
                                            • String ID: @U=u
                                            • API String ID: 763830540-2594219639
                                            • Opcode ID: c56fccd2390b1608f7fd3c59cf3d08263af5de9dd5debd94e180cbc6ee1856e3
                                            • Instruction ID: e8bb39a81be21ff17bb14079e961dfb9db618231dd52df418a628665d0e57ac0
                                            • Opcode Fuzzy Hash: c56fccd2390b1608f7fd3c59cf3d08263af5de9dd5debd94e180cbc6ee1856e3
                                            • Instruction Fuzzy Hash: CF21B671904618DADB218F60CC84EEE7BB8FF04724F108256FD2AEB180DB789985DF54
                                            APIs
                                            • GetStdHandle.KERNEL32(0000000C), ref: 007404F2
                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0074052E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateHandlePipe
                                            • String ID: nul
                                            • API String ID: 1424370930-2873401336
                                            • Opcode ID: a3b9fd20309b675d013962801efb4031f8a59f66ce1eaac0174a8aa3c32314d0
                                            • Instruction ID: 1ed6b0ae9746cf76329a977088bf188d6789a4ecf8eb0a35fe2322b87cdec4d2
                                            • Opcode Fuzzy Hash: a3b9fd20309b675d013962801efb4031f8a59f66ce1eaac0174a8aa3c32314d0
                                            • Instruction Fuzzy Hash: D72162755003059FDF209F29DC44E5AB7A4FF45724F204A19F9A1E72E0D7749960CFA0
                                            APIs
                                            • GetStdHandle.KERNEL32(000000F6), ref: 007405C6
                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00740601
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateHandlePipe
                                            • String ID: nul
                                            • API String ID: 1424370930-2873401336
                                            • Opcode ID: bcd0efed980d3023c39921f52fa58164d8d19dbd06c047e5e0b18597057b5c57
                                            • Instruction ID: b03be76a21f565ee09cbc3a2660e6efd93a7f04d0da6d579e47c2e76eeaef315
                                            • Opcode Fuzzy Hash: bcd0efed980d3023c39921f52fa58164d8d19dbd06c047e5e0b18597057b5c57
                                            • Instruction Fuzzy Hash: 7421A3755003059FDB209F698C08A6A77E4BF85720F204A19FEA2E72D0D7B49860CB95
                                            APIs
                                              • Part of subcall function 006D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006D604C
                                              • Part of subcall function 006D600E: GetStockObject.GDI32(00000011), ref: 006D6060
                                              • Part of subcall function 006D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D606A
                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00764112
                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0076411F
                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0076412A
                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00764139
                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00764145
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$CreateObjectStockWindow
                                            • String ID: Msctls_Progress32
                                            • API String ID: 1025951953-3636473452
                                            • Opcode ID: 3ecfc59030ac7d15fad0aa5f2d1c86abb04ce2bb1f493cc7eba3eb5208b7fe63
                                            • Instruction ID: 93e9be30a6fade97cbfa1dfe121dc6c79434937424a38b0d17747306aba4796b
                                            • Opcode Fuzzy Hash: 3ecfc59030ac7d15fad0aa5f2d1c86abb04ce2bb1f493cc7eba3eb5208b7fe63
                                            • Instruction Fuzzy Hash: 2811B2B215021DBEEF119F64CC85EE77F9DEF09798F008111FB18A2150C6769C61DBA4
                                            APIs
                                              • Part of subcall function 0070D7A3: _free.LIBCMT ref: 0070D7CC
                                            • _free.LIBCMT ref: 0070D82D
                                              • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                              • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                            • _free.LIBCMT ref: 0070D838
                                            • _free.LIBCMT ref: 0070D843
                                            • _free.LIBCMT ref: 0070D897
                                            • _free.LIBCMT ref: 0070D8A2
                                            • _free.LIBCMT ref: 0070D8AD
                                            • _free.LIBCMT ref: 0070D8B8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                            • Instruction ID: 024ac15da0b9ead7d85a1111eb4275f0f5704047666e8745ef4d7d909c2409d9
                                            • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                            • Instruction Fuzzy Hash: 4D111F72540B04EAD531BFF4CC4FFCB7BDC6F44700F405A25B299A64E3DA69B9064A50
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0073DA74
                                            • LoadStringW.USER32(00000000), ref: 0073DA7B
                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0073DA91
                                            • LoadStringW.USER32(00000000), ref: 0073DA98
                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0073DADC
                                            Strings
                                            • %s (%d) : ==> %s: %s %s, xrefs: 0073DAB9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: HandleLoadModuleString$Message
                                            • String ID: %s (%d) : ==> %s: %s %s
                                            • API String ID: 4072794657-3128320259
                                            • Opcode ID: f647ab84417c0893590261e75d3c1f7d0b3d07478031c99ad41f574c072ce597
                                            • Instruction ID: 0058098c906b0a97d094fa9ce3aede9b8d9f6a5691325e5b7c5e842c360f8389
                                            • Opcode Fuzzy Hash: f647ab84417c0893590261e75d3c1f7d0b3d07478031c99ad41f574c072ce597
                                            • Instruction Fuzzy Hash: 8501FFF6500308BBF7129BA49D89EF6766CE708701F408596F786E2042E6B89E844B78
                                            APIs
                                            • InterlockedExchange.KERNEL32(0107E798,0107E798), ref: 0074097B
                                            • EnterCriticalSection.KERNEL32(0107E778,00000000), ref: 0074098D
                                            • TerminateThread.KERNEL32(006F0074,000001F6), ref: 0074099B
                                            • WaitForSingleObject.KERNEL32(006F0074,000003E8), ref: 007409A9
                                            • CloseHandle.KERNEL32(006F0074), ref: 007409B8
                                            • InterlockedExchange.KERNEL32(0107E798,000001F6), ref: 007409C8
                                            • LeaveCriticalSection.KERNEL32(0107E778), ref: 007409CF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                            • String ID:
                                            • API String ID: 3495660284-0
                                            • Opcode ID: 29e0ea2f7e5493783159cc9e6b0c0d07287a7c6a370f32ca219b43f5a54b5196
                                            • Instruction ID: 85db687b73f16f64aa41c217686148b59ab7c0e1b06ea22aaf8513662847196b
                                            • Opcode Fuzzy Hash: 29e0ea2f7e5493783159cc9e6b0c0d07287a7c6a370f32ca219b43f5a54b5196
                                            • Instruction Fuzzy Hash: 24F03131442602BFD7425FA5EE9DBE67B35FF01702F405015F242608A0C7B9A465CFA4
                                            APIs
                                            • __allrem.LIBCMT ref: 007000BA
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007000D6
                                            • __allrem.LIBCMT ref: 007000ED
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0070010B
                                            • __allrem.LIBCMT ref: 00700122
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00700140
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                            • String ID:
                                            • API String ID: 1992179935-0
                                            • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                            • Instruction ID: f49cd91cffde22e3993c3d97fd14a2f106fb5a77b9949b683dd6bac3631d9c37
                                            • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                            • Instruction Fuzzy Hash: 2E810872A01B0ADBE7209F68CC45BAE73EAAF41734F24463EF651D62C1E778D9408790
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006F82D9,006F82D9,?,?,?,0070644F,00000001,00000001,8BE85006), ref: 00706258
                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0070644F,00000001,00000001,8BE85006,?,?,?), ref: 007062DE
                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007063D8
                                            • __freea.LIBCMT ref: 007063E5
                                              • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                            • __freea.LIBCMT ref: 007063EE
                                            • __freea.LIBCMT ref: 00706413
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                            • String ID:
                                            • API String ID: 1414292761-0
                                            • Opcode ID: af83f7516c0654e0fecd1d957314104961cf34eb2aa30535d4abe13ed594feda
                                            • Instruction ID: 8b64dd50df4397370da4e6f25fc985e084d4730df93016cf20860a7b9b143cdd
                                            • Opcode Fuzzy Hash: af83f7516c0654e0fecd1d957314104961cf34eb2aa30535d4abe13ed594feda
                                            • Instruction Fuzzy Hash: EC51AF72600216EBEB258F64CC95EBFB6E9EB44754F144729F905D61C1DB38DC60C6A0
                                            APIs
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                              • Part of subcall function 0075C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075B6AE,?,?), ref: 0075C9B5
                                              • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075C9F1
                                              • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA68
                                              • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA9E
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075BCCA
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075BD25
                                            • RegCloseKey.ADVAPI32(00000000), ref: 0075BD6A
                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0075BD99
                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0075BDF3
                                            • RegCloseKey.ADVAPI32(?), ref: 0075BDFF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                            • String ID:
                                            • API String ID: 1120388591-0
                                            • Opcode ID: cd5efcc76ee0518db3426214f35bd8c54b33f4b6e8a2a51ca0a5087b6c4c8130
                                            • Instruction ID: d2654c93a04d55d8f3bc9f8b90b4b1613de51ef239718020df0784aef7d00bc5
                                            • Opcode Fuzzy Hash: cd5efcc76ee0518db3426214f35bd8c54b33f4b6e8a2a51ca0a5087b6c4c8130
                                            • Instruction Fuzzy Hash: 34818C30208341AFD715DF24C895E6ABBE5FF84308F14895DF8964B2A2DB75ED09CB92
                                            APIs
                                            • VariantInit.OLEAUT32(00000035), ref: 0072F7B9
                                            • SysAllocString.OLEAUT32(00000001), ref: 0072F860
                                            • VariantCopy.OLEAUT32(0072FA64,00000000), ref: 0072F889
                                            • VariantClear.OLEAUT32(0072FA64), ref: 0072F8AD
                                            • VariantCopy.OLEAUT32(0072FA64,00000000), ref: 0072F8B1
                                            • VariantClear.OLEAUT32(?), ref: 0072F8BB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Variant$ClearCopy$AllocInitString
                                            • String ID:
                                            • API String ID: 3859894641-0
                                            • Opcode ID: cfb57628a9fb640819e94aa3dd7481cb340a5377d92fa589116c5c90239ff6bc
                                            • Instruction ID: 3fa2ff2b4617be4cf224a4d7478e514ae739d5d5904191b57e8f6754f3a75f48
                                            • Opcode Fuzzy Hash: cfb57628a9fb640819e94aa3dd7481cb340a5377d92fa589116c5c90239ff6bc
                                            • Instruction Fuzzy Hash: BB51D631501320FBCF10AB65E895B39B7B5EF45310B20947BE846DF295DB789C80CB6A
                                            APIs
                                              • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 007494E5
                                            • _wcslen.LIBCMT ref: 00749506
                                            • _wcslen.LIBCMT ref: 0074952D
                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00749585
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$FileName$OpenSave
                                            • String ID: X
                                            • API String ID: 83654149-3081909835
                                            • Opcode ID: a6d4c6439b00959d211bdd36bab58cdca9adb18828165e6a9498abfd61735561
                                            • Instruction ID: 850dce11c78de4b7de1c64a23cf7f15604053cf3f47aa04a0c535898a727285d
                                            • Opcode Fuzzy Hash: a6d4c6439b00959d211bdd36bab58cdca9adb18828165e6a9498abfd61735561
                                            • Instruction Fuzzy Hash: CDE1AE31A083409FC764DF24C881A6BB7E1BF85314F14896DF9899B3A2EB35DD05CB96
                                            APIs
                                              • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                            • BeginPaint.USER32(?,?,?), ref: 006E9241
                                            • GetWindowRect.USER32(?,?), ref: 006E92A5
                                            • ScreenToClient.USER32(?,?), ref: 006E92C2
                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006E92D3
                                            • EndPaint.USER32(?,?,?,?,?), ref: 006E9321
                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007271EA
                                              • Part of subcall function 006E9339: BeginPath.GDI32(00000000), ref: 006E9357
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                            • String ID:
                                            • API String ID: 3050599898-0
                                            • Opcode ID: 38ea0b68587e41847d58a21dbd254755bf241000b0f46e1f5c7ee1a16015cdea
                                            • Instruction ID: 406f56c88ab487128e234f3c1157ec71c64a1cf9239508a59b34d8c4eb5b0573
                                            • Opcode Fuzzy Hash: 38ea0b68587e41847d58a21dbd254755bf241000b0f46e1f5c7ee1a16015cdea
                                            • Instruction Fuzzy Hash: 7941E030105340AFE711DF25DC84FBB7BA9EF86320F104229FAA5872E1C774A845DB66
                                            APIs
                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0074080C
                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00740847
                                            • EnterCriticalSection.KERNEL32(?), ref: 00740863
                                            • LeaveCriticalSection.KERNEL32(?), ref: 007408DC
                                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007408F3
                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00740921
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3368777196-0
                                            • Opcode ID: b7d32358b70d7e07578c3d54cfe5c51def896fe59852ee38abab1d70751fd860
                                            • Instruction ID: 176038c1395d604e9a5befa5a508e98b62bc0755d1b71423d633178c50660099
                                            • Opcode Fuzzy Hash: b7d32358b70d7e07578c3d54cfe5c51def896fe59852ee38abab1d70751fd860
                                            • Instruction Fuzzy Hash: 28419C71900205EFEF05AF54DC85A6A7779FF04300F1080A9EE00AA297DB74EE65DBA8
                                            APIs
                                              • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                                            • _wcslen.LIBCMT ref: 0074587B
                                            • CoInitialize.OLE32(00000000), ref: 00745995
                                            • CoCreateInstance.OLE32(0076FCF8,00000000,00000001,0076FB68,?), ref: 007459AE
                                            • CoUninitialize.OLE32 ref: 007459CC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                            • String ID: .lnk
                                            • API String ID: 3172280962-24824748
                                            • Opcode ID: c94bdcb5356e88c5c068ab8dba1a093f5b7c3958d45d01a1fe4b443b555559cf
                                            • Instruction ID: 34272237e39419d327b684f75dea15cc4c646b881185779a39875e0e21873e5a
                                            • Opcode Fuzzy Hash: c94bdcb5356e88c5c068ab8dba1a093f5b7c3958d45d01a1fe4b443b555559cf
                                            • Instruction Fuzzy Hash: 7ED143B1A08701DFC714DF24C48492ABBE6EF89710F14895DF88A9B362DB35EC45CB92
                                            APIs
                                              • Part of subcall function 00730FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00730FCA
                                              • Part of subcall function 00730FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00730FD6
                                              • Part of subcall function 00730FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00730FE5
                                              • Part of subcall function 00730FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00730FEC
                                              • Part of subcall function 00730FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00731002
                                            • GetLengthSid.ADVAPI32(?,00000000,00731335), ref: 007317AE
                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007317BA
                                            • HeapAlloc.KERNEL32(00000000), ref: 007317C1
                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 007317DA
                                            • GetProcessHeap.KERNEL32(00000000,00000000,00731335), ref: 007317EE
                                            • HeapFree.KERNEL32(00000000), ref: 007317F5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                            • String ID:
                                            • API String ID: 3008561057-0
                                            • Opcode ID: ef3157d1178847a0f2e254d23b2e48c8bef6dc1568ed7cfab561c10aea7ddfd2
                                            • Instruction ID: ce9f4102562c6a17b14b863ccf99e89bef7022874a9e246e2233330f1cbae1e7
                                            • Opcode Fuzzy Hash: ef3157d1178847a0f2e254d23b2e48c8bef6dc1568ed7cfab561c10aea7ddfd2
                                            • Instruction Fuzzy Hash: FC11BE71500205FFEB259FA4CC49BBE7BA9EB42355F588018F48297212D77AAD44CB70
                                            APIs
                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007314FF
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00731506
                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00731515
                                            • CloseHandle.KERNEL32(00000004), ref: 00731520
                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0073154F
                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00731563
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                            • String ID:
                                            • API String ID: 1413079979-0
                                            • Opcode ID: 30ace8396ff4b67202ace4f4f5582e1ac98434b35af4cc632e69d70966ce7b31
                                            • Instruction ID: 7752e96556bf7098752836b9a4189164ee6656ee30418db30c411410b39aff72
                                            • Opcode Fuzzy Hash: 30ace8396ff4b67202ace4f4f5582e1ac98434b35af4cc632e69d70966ce7b31
                                            • Instruction Fuzzy Hash: E9116A7250024DEBEF128F98DD49FEE7BA9EF48744F048015FA06A2160C3B9CE60DB60
                                            APIs
                                            • GetLastError.KERNEL32(?,?,006F3379,006F2FE5), ref: 006F3390
                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006F339E
                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006F33B7
                                            • SetLastError.KERNEL32(00000000,?,006F3379,006F2FE5), ref: 006F3409
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorLastValue___vcrt_
                                            • String ID:
                                            • API String ID: 3852720340-0
                                            • Opcode ID: 5e8d5aa230d56d240fcb7788c7ad66c8a91b4fbc19379eb3681a03ceac465f8e
                                            • Instruction ID: 9529aa9e34b84ad00dae042c4f8f1d4d761b0bd74a4551f670112d56e64e3996
                                            • Opcode Fuzzy Hash: 5e8d5aa230d56d240fcb7788c7ad66c8a91b4fbc19379eb3681a03ceac465f8e
                                            • Instruction Fuzzy Hash: 35012433208339BEAA2627787C85AB72A96EB15379B20422EF710C43F0EF554D12514C
                                            APIs
                                            • GetLastError.KERNEL32(?,?,00705686,00713CD6,?,00000000,?,00705B6A,?,?,?,?,?,006FE6D1,?,00798A48), ref: 00702D78
                                            • _free.LIBCMT ref: 00702DAB
                                            • _free.LIBCMT ref: 00702DD3
                                            • SetLastError.KERNEL32(00000000,?,?,?,?,006FE6D1,?,00798A48,00000010,006D4F4A,?,?,00000000,00713CD6), ref: 00702DE0
                                            • SetLastError.KERNEL32(00000000,?,?,?,?,006FE6D1,?,00798A48,00000010,006D4F4A,?,?,00000000,00713CD6), ref: 00702DEC
                                            • _abort.LIBCMT ref: 00702DF2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_free$_abort
                                            • String ID:
                                            • API String ID: 3160817290-0
                                            • Opcode ID: 1bf2c61ca496c118ac84d8d4ab22444a04b3b128eba0b0ea8065ae74983b2727
                                            • Instruction ID: 6cfdca0e940aa55a786ef650f56660886d82423e6a7976676cc39de376e08ec3
                                            • Opcode Fuzzy Hash: 1bf2c61ca496c118ac84d8d4ab22444a04b3b128eba0b0ea8065ae74983b2727
                                            • Instruction Fuzzy Hash: 40F0A477644600F7C6137735AC0EA2A26D9AFC27A5B358719F825922E3EE6C9C034165
                                            APIs
                                              • Part of subcall function 006E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E9693
                                              • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96A2
                                              • Part of subcall function 006E9639: BeginPath.GDI32(?), ref: 006E96B9
                                              • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96E2
                                            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00768A4E
                                            • LineTo.GDI32(?,00000003,00000000), ref: 00768A62
                                            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00768A70
                                            • LineTo.GDI32(?,00000000,00000003), ref: 00768A80
                                            • EndPath.GDI32(?), ref: 00768A90
                                            • StrokePath.GDI32(?), ref: 00768AA0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                            • String ID:
                                            • API String ID: 43455801-0
                                            • Opcode ID: f550b3b9478693dd57922e8204f6d2f56b350bbdddb44621cd323f9a5b4d8501
                                            • Instruction ID: 52592dd170973d18b7b48f2c46c376cab8ae405443b3a318e06d09a373665f71
                                            • Opcode Fuzzy Hash: f550b3b9478693dd57922e8204f6d2f56b350bbdddb44621cd323f9a5b4d8501
                                            • Instruction Fuzzy Hash: 6011FA7600024CFFEB129F94DC48EAA7F6DEB08350F00C012FA5699161C7759D55DBA4
                                            APIs
                                            • GetDC.USER32(00000000), ref: 00735218
                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00735229
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00735230
                                            • ReleaseDC.USER32(00000000,00000000), ref: 00735238
                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0073524F
                                            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00735261
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CapsDevice$Release
                                            • String ID:
                                            • API String ID: 1035833867-0
                                            • Opcode ID: 76eabd7d5670af19740b4cf0828191f4f75e8da2679fba080eb5bd5d5bf2d6e3
                                            • Instruction ID: 2e758272dbe18e8a85b09aafdbf5d1e91300496cf326e1cbe9440c3b58ecdc2d
                                            • Opcode Fuzzy Hash: 76eabd7d5670af19740b4cf0828191f4f75e8da2679fba080eb5bd5d5bf2d6e3
                                            • Instruction Fuzzy Hash: 65018FB5A00718BBEB119BA5DC49A5EBFB8FB48351F048066FA05A7281D6B49800CBA4
                                            APIs
                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006D1BF4
                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 006D1BFC
                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006D1C07
                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006D1C12
                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 006D1C1A
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 006D1C22
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Virtual
                                            • String ID:
                                            • API String ID: 4278518827-0
                                            • Opcode ID: f8f573ff264a3accc1374b1108628eac8e54e81d8ab5dede308f89756a343562
                                            • Instruction ID: 04f8397cd30ee4ca6652d0ca47f51ccfab23aec15ea65f99ff32b51637731597
                                            • Opcode Fuzzy Hash: f8f573ff264a3accc1374b1108628eac8e54e81d8ab5dede308f89756a343562
                                            • Instruction Fuzzy Hash: B50148B090275A7DE3008F5A8C85A52FEA8FF19354F00415B915C47941C7F5A864CBE5
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0073EB30
                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0073EB46
                                            • GetWindowThreadProcessId.USER32(?,?), ref: 0073EB55
                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073EB64
                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073EB6E
                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073EB75
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                            • String ID:
                                            • API String ID: 839392675-0
                                            • Opcode ID: 97f5b6ac5880c7a9c23156c82bb810a0581617701c6eb053d980895b06a0684a
                                            • Instruction ID: e84d1ee2c240ca9e514bce230c3ac318a71878f39679f3d13464842d4fe44adc
                                            • Opcode Fuzzy Hash: 97f5b6ac5880c7a9c23156c82bb810a0581617701c6eb053d980895b06a0684a
                                            • Instruction Fuzzy Hash: BCF01DB2140258BBE6226752DC0EEBB7A7CEFCAB11F008158F642E119196E85A0186B9
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0073187F
                                            • UnloadUserProfile.USERENV(?,?), ref: 0073188B
                                            • CloseHandle.KERNEL32(?), ref: 00731894
                                            • CloseHandle.KERNEL32(?), ref: 0073189C
                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 007318A5
                                            • HeapFree.KERNEL32(00000000), ref: 007318AC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                            • String ID:
                                            • API String ID: 146765662-0
                                            • Opcode ID: c1923dbc58f787326767a73917f90bf901ac767ab05dcdeec0e15f16198bfdc0
                                            • Instruction ID: 141c59215779c5d4788b32c57112b7e50769a73c984b7c135b9074fcd14691a2
                                            • Opcode Fuzzy Hash: c1923dbc58f787326767a73917f90bf901ac767ab05dcdeec0e15f16198bfdc0
                                            • Instruction Fuzzy Hash: D1E0ED76004205BBDB026FA2ED0C915BF39FF4A722710C221F26691170CBB65420DF64
                                            APIs
                                            • __Init_thread_footer.LIBCMT ref: 006DBEB3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Init_thread_footer
                                            • String ID: D%z$D%z$D%z$D%zD%z
                                            • API String ID: 1385522511-3299656855
                                            • Opcode ID: 1820b6924b1cda8e42478be900116b557a273e6a701fc6d5d1c3541a110da116
                                            • Instruction ID: 76cdcd034df3da95fbb41347c63be535bc09ddb897b6cc40f19f547912ba22df
                                            • Opcode Fuzzy Hash: 1820b6924b1cda8e42478be900116b557a273e6a701fc6d5d1c3541a110da116
                                            • Instruction Fuzzy Hash: 69913975E0020ACFCB18CF59C0906A9B7F2FF99310B25916ED945AB355E731E982CB90
                                            APIs
                                              • Part of subcall function 006F0242: EnterCriticalSection.KERNEL32(007A070C,007A1884,?,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F024D
                                              • Part of subcall function 006F0242: LeaveCriticalSection.KERNEL32(007A070C,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F028A
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                              • Part of subcall function 006F00A3: __onexit.LIBCMT ref: 006F00A9
                                            • __Init_thread_footer.LIBCMT ref: 00757BFB
                                              • Part of subcall function 006F01F8: EnterCriticalSection.KERNEL32(007A070C,?,?,006E8747,007A2514), ref: 006F0202
                                              • Part of subcall function 006F01F8: LeaveCriticalSection.KERNEL32(007A070C,?,006E8747,007A2514), ref: 006F0235
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                            • String ID: +Tr$5$G$Variable must be of type 'Object'.
                                            • API String ID: 535116098-3922178991
                                            • Opcode ID: 8d361bc94315e2145f1e48efb968795b02298359e55894987630f4fc05c56070
                                            • Instruction ID: 2206e359d11c50ddeb99546b003d16ca6d0b0d8ef8046fee7470b2ae0cee4b54
                                            • Opcode Fuzzy Hash: 8d361bc94315e2145f1e48efb968795b02298359e55894987630f4fc05c56070
                                            • Instruction Fuzzy Hash: 33916E70A04209EFCB08EF54E8959FDB7B6BF45301F108059FC069B292DBB9AE49CB51
                                            APIs
                                              • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0073C6EE
                                            • _wcslen.LIBCMT ref: 0073C735
                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0073C79C
                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0073C7CA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info_wcslen$Default
                                            • String ID: 0
                                            • API String ID: 1227352736-4108050209
                                            • Opcode ID: cce7a40df165e80a7bf97d89d8d0f2bc549fb65f422caba08b6371269da8bf12
                                            • Instruction ID: e5643bfa15046385d4a978f1d28c96324a376140dacba306339e2fa206df9a4f
                                            • Opcode Fuzzy Hash: cce7a40df165e80a7bf97d89d8d0f2bc549fb65f422caba08b6371269da8bf12
                                            • Instruction Fuzzy Hash: 4751E2726043409BF7529F28C885B6B77E8AF89310F040A2DF996F31A2DB78DD04CB56
                                            APIs
                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0075AEA3
                                              • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
                                            • GetProcessId.KERNEL32(00000000), ref: 0075AF38
                                            • CloseHandle.KERNEL32(00000000), ref: 0075AF67
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CloseExecuteHandleProcessShell_wcslen
                                            • String ID: <$@
                                            • API String ID: 146682121-1426351568
                                            • Opcode ID: aa6c94968390cb514143bfcdb2a0508bf86eac2cc161d69cc3b5f864e4b1c183
                                            • Instruction ID: b2ca69c7a6418ea6f542347675365c20de0372fe578b24fc5c439158ad828611
                                            • Opcode Fuzzy Hash: aa6c94968390cb514143bfcdb2a0508bf86eac2cc161d69cc3b5f864e4b1c183
                                            • Instruction Fuzzy Hash: 18715971A00219DFCB14DF54D485A9EBBF1BF08310F0485AEE816AB392DB74ED45CB95
                                            APIs
                                            • GetWindowRect.USER32(0108E7F0,?), ref: 007662E2
                                            • ScreenToClient.USER32(?,?), ref: 00766315
                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00766382
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$ClientMoveRectScreen
                                            • String ID: @U=u
                                            • API String ID: 3880355969-2594219639
                                            • Opcode ID: f6bf5943e4a54002916e905dc0ee04c00ab54ede5f30f7929b8415f10dcb7526
                                            • Instruction ID: 64facde40cee0d18254da372a64f90f244da86788e41b0d8d4ce4715fa12eab9
                                            • Opcode Fuzzy Hash: f6bf5943e4a54002916e905dc0ee04c00ab54ede5f30f7929b8415f10dcb7526
                                            • Instruction Fuzzy Hash: 6D513A74A00249EFDF10DF69D8809AE7BB6FF85360F50815AF9169B290D734ED81CB50
                                            APIs
                                              • Part of subcall function 0073B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321D0,?,?,00000034,00000800,?,00000034), ref: 0073B42D
                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00732760
                                              • Part of subcall function 0073B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0073B3F8
                                              • Part of subcall function 0073B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0073B355
                                              • Part of subcall function 0073B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00732194,00000034,?,?,00001004,00000000,00000000), ref: 0073B365
                                              • Part of subcall function 0073B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00732194,00000034,?,?,00001004,00000000,00000000), ref: 0073B37B
                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007327CD
                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0073281A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                            • String ID: @$@U=u
                                            • API String ID: 4150878124-826235744
                                            • Opcode ID: eac3997c4ef64c4269b5cdeff22c686b0cda9324d02086de95a1065d277f8673
                                            • Instruction ID: 0a9c8692b59d17b0ea48739fd9bb4e5d2040e7ad31b27f652f0bceb64923a82b
                                            • Opcode Fuzzy Hash: eac3997c4ef64c4269b5cdeff22c686b0cda9324d02086de95a1065d277f8673
                                            • Instruction Fuzzy Hash: 19412E76901218BFEB10DFA4CD45AEEBBB8EF09700F104099FA55B7182DB746E45CBA1
                                            APIs
                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00737206
                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0073723C
                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0073724D
                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007372CF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                            • String ID: DllGetClassObject
                                            • API String ID: 753597075-1075368562
                                            • Opcode ID: 8fae348152053146573f0432cfc1cf529a9a94566f8e5d63617a85e3d866545e
                                            • Instruction ID: c411d1eb9db18e9f20f84f30a2d6589b7704a4370115330de7fa7a5e61e04184
                                            • Opcode Fuzzy Hash: 8fae348152053146573f0432cfc1cf529a9a94566f8e5d63617a85e3d866545e
                                            • Instruction Fuzzy Hash: E5411DF2604205DFEB29CF54C884A9B7BB9FF49310F1580A9BD059F20AD7B9D944DBA0
                                            APIs
                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00765352
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00765375
                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00765382
                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007653A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LongWindow$InvalidateMessageRectSend
                                            • String ID: @U=u
                                            • API String ID: 3340791633-2594219639
                                            • Opcode ID: c830634590ab639b2e6a12a51eafe71ae96d4850040d1802024a1102fca038ce
                                            • Instruction ID: 74a88d587b45ce700f330a99fcbc8322841d25d23700ca04147ccd12ebafb0dd
                                            • Opcode Fuzzy Hash: c830634590ab639b2e6a12a51eafe71ae96d4850040d1802024a1102fca038ce
                                            • Instruction Fuzzy Hash: ED31D234A55A08EFEB309E16CC05BE93761AB05B98F584102FE13963E1C7BC9D40FB45
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen
                                            • String ID: HKEY_LOCAL_MACHINE$HKLM
                                            • API String ID: 176396367-4004644295
                                            • Opcode ID: 548af75eb8b65f76a841b9cd07578a58e523117c82e4d16ea521d657c73aa2ac
                                            • Instruction ID: 313341458b71fb8ee421b277f3af122373837473f698d44659b27720320bf3ac
                                            • Opcode Fuzzy Hash: 548af75eb8b65f76a841b9cd07578a58e523117c82e4d16ea521d657c73aa2ac
                                            • Instruction Fuzzy Hash: CB31D772A002694FCB22DF2C99406FF3B925BA1751B15802DEC456B345EAF9CD48D3A4
                                            APIs
                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00762F8D
                                            • LoadLibraryW.KERNEL32(?), ref: 00762F94
                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00762FA9
                                            • DestroyWindow.USER32(?), ref: 00762FB1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$DestroyLibraryLoadWindow
                                            • String ID: SysAnimate32
                                            • API String ID: 3529120543-1011021900
                                            • Opcode ID: 0eebaf71a50527c5f26ccc9d03f3d60966a4ab20ceea4e55203df512bd9c4897
                                            • Instruction ID: adec3db30a13d66e342eb2a37a270546e534539d3a460560a75e3227ef2b74ea
                                            • Opcode Fuzzy Hash: 0eebaf71a50527c5f26ccc9d03f3d60966a4ab20ceea4e55203df512bd9c4897
                                            • Instruction Fuzzy Hash: 7621DE71204605ABEB514FA4DC80EFB37B9EF59364F108618FE52D61A1C7B9DC429B60
                                            APIs
                                            • SendMessageW.USER32(?,00001060,?,00000004), ref: 007656BB
                                            • _wcslen.LIBCMT ref: 007656CD
                                            • _wcslen.LIBCMT ref: 007656D8
                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00765816
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend_wcslen
                                            • String ID: @U=u
                                            • API String ID: 455545452-2594219639
                                            • Opcode ID: 5e22cd5e624771397ea6e71fd5f6cc09b6199d8e32833313fc1122a338951d44
                                            • Instruction ID: 153c91954f252fac200f35e40e8631235ed6b0233978e00d847452b50e385052
                                            • Opcode Fuzzy Hash: 5e22cd5e624771397ea6e71fd5f6cc09b6199d8e32833313fc1122a338951d44
                                            • Instruction Fuzzy Hash: 5211E17160060996DB209F61CC85AFE3BACAF01764F10806AFD17D6081EBB89A84DB64
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006D604C
                                            • GetStockObject.GDI32(00000011), ref: 006D6060
                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 006D606A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateMessageObjectSendStockWindow
                                            • String ID: @U=u
                                            • API String ID: 3970641297-2594219639
                                            • Opcode ID: 2691cad14fcc98602785e7ca5b2b84be93d426f270ea6095a6835f482d173d9e
                                            • Instruction ID: 311bf313fd1fbb70a29bc3158dc5b6c022eb23ce523022bc88addb69fbcd9bf0
                                            • Opcode Fuzzy Hash: 2691cad14fcc98602785e7ca5b2b84be93d426f270ea6095a6835f482d173d9e
                                            • Instruction Fuzzy Hash: CE11C472901608BFEF125F94CD44EFA7B6AFF09354F004102FA1552210C776DC60DB90
                                            APIs
                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006F4D1E,007028E9,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002), ref: 006F4D8D
                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006F4DA0
                                            • FreeLibrary.KERNEL32(00000000,?,?,?,006F4D1E,007028E9,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002,00000000), ref: 006F4DC3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: a049f690f4cbf51a17be44465992fd00fb22dc04e0f73f63edc27ef81d521838
                                            • Instruction ID: 258562cd605416a438d072dd977abc58dd594bffcc21d92d8f0b54901819460e
                                            • Opcode Fuzzy Hash: a049f690f4cbf51a17be44465992fd00fb22dc04e0f73f63edc27ef81d521838
                                            • Instruction Fuzzy Hash: 71F0813050020CABDB159B94DC09BFEBBA5EF44751F004095E90AA2650DB745D40CAD4
                                            APIs
                                            • LoadLibraryA.KERNEL32 ref: 0072D3AD
                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0072D3BF
                                            • FreeLibrary.KERNEL32(00000000), ref: 0072D3E5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Library$AddressFreeLoadProc
                                            • String ID: GetSystemWow64DirectoryW$X64
                                            • API String ID: 145871493-2590602151
                                            • Opcode ID: 82e93b54213b02991a579f62d4f93873eb9722f67e68129a711be70db5532b82
                                            • Instruction ID: f08101681890dacfcaccd71e2aff04959e5da7f0330e2420a7c3307487db59af
                                            • Opcode Fuzzy Hash: 82e93b54213b02991a579f62d4f93873eb9722f67e68129a711be70db5532b82
                                            • Instruction Fuzzy Hash: A1F055B0802730CBE736AB11EC189BD7351BF02701F68C196F843E1002DB6CCE408687
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E9C
                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006D4EAE
                                            • FreeLibrary.KERNEL32(00000000,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EC0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Library$AddressFreeLoadProc
                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                            • API String ID: 145871493-3689287502
                                            • Opcode ID: 9d5ce33633201b8f879a8db36e3ca157817e20daa987039bf88cb54275b40043
                                            • Instruction ID: 0f5f9f2ec540540f642a2e679f1964a5c1bae3f48832e1a6788cdcc52f817ce8
                                            • Opcode Fuzzy Hash: 9d5ce33633201b8f879a8db36e3ca157817e20daa987039bf88cb54275b40043
                                            • Instruction Fuzzy Hash: 18E0CD75E017226BD23317257C18BBF7755AF82F627094116FC46D2300DFB8CD0140A4
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E62
                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006D4E74
                                            • FreeLibrary.KERNEL32(00000000,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E87
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Library$AddressFreeLoadProc
                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                            • API String ID: 145871493-1355242751
                                            • Opcode ID: 659d644e2e34fd384737fe50803d7a64dc8530789483f8d4ce3e1997e85353df
                                            • Instruction ID: 1e287c962f316968d2365e3f51110a7c30c07a87d38941802b722ec1666283b7
                                            • Opcode Fuzzy Hash: 659d644e2e34fd384737fe50803d7a64dc8530789483f8d4ce3e1997e85353df
                                            • Instruction Fuzzy Hash: 92D0C271902761674A231B24BC08DEB3B1AAFC6B513054212F846A2310CFB8CD0181D4
                                            APIs
                                            • GetCurrentProcessId.KERNEL32 ref: 0075A427
                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0075A435
                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0075A468
                                            • CloseHandle.KERNEL32(?), ref: 0075A63D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                            • String ID:
                                            • API String ID: 3488606520-0
                                            • Opcode ID: 49fb00e88d3e66cb24ea3d85d9bedd10df30d1bc6a6037cd988eb96f26e84563
                                            • Instruction ID: 5b76c2fdd5220a04bbe4d7147e2f0f6785f7009a9cc21663cc82b71276b17e58
                                            • Opcode Fuzzy Hash: 49fb00e88d3e66cb24ea3d85d9bedd10df30d1bc6a6037cd988eb96f26e84563
                                            • Instruction Fuzzy Hash: C8A1B071604301AFD760DF24C882F6AB7E6AF84714F14891DF99A9B392D7B4EC44CB86
                                            APIs
                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00773700), ref: 0070BB91
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,007A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0070BC09
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,007A1270,000000FF,?,0000003F,00000000,?), ref: 0070BC36
                                            • _free.LIBCMT ref: 0070BB7F
                                              • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                              • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                            • _free.LIBCMT ref: 0070BD4B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                            • String ID:
                                            • API String ID: 1286116820-0
                                            • Opcode ID: 7c7d7ddf5236eaf70b0799f9a9f70dbe2c4ac6f29027a869e3926a9fad197ab8
                                            • Instruction ID: 872fe7b4f56e26affa0f48dd98180a6c4461752e70c652df0ef9cc4b7f8ad31a
                                            • Opcode Fuzzy Hash: 7c7d7ddf5236eaf70b0799f9a9f70dbe2c4ac6f29027a869e3926a9fad197ab8
                                            • Instruction Fuzzy Hash: 79510571900209EFEB10EF659C85AAAB7F8FF81350F50436AE450D72E1EB789F418B64
                                            APIs
                                              • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0073CF22,?), ref: 0073DDFD
                                              • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0073CF22,?), ref: 0073DE16
                                              • Part of subcall function 0073E199: GetFileAttributesW.KERNEL32(?,0073CF95), ref: 0073E19A
                                            • lstrcmpiW.KERNEL32(?,?), ref: 0073E473
                                            • MoveFileW.KERNEL32(?,?), ref: 0073E4AC
                                            • _wcslen.LIBCMT ref: 0073E5EB
                                            • _wcslen.LIBCMT ref: 0073E603
                                            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0073E650
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                            • String ID:
                                            • API String ID: 3183298772-0
                                            • Opcode ID: 2d7df6fed0f53378a84d9ff7156ea17c4e90b5152516c5bc573669ba4461a812
                                            • Instruction ID: 02cbf1f3057567ad04ac310bbafe162ade73db8a0de28b8cde86948f88b225c5
                                            • Opcode Fuzzy Hash: 2d7df6fed0f53378a84d9ff7156ea17c4e90b5152516c5bc573669ba4461a812
                                            • Instruction Fuzzy Hash: 655185B25083859BD764DB90DC819DF77ED9F84340F00491EF6C9D3192EF78A588876A
                                            APIs
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                              • Part of subcall function 0075C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075B6AE,?,?), ref: 0075C9B5
                                              • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075C9F1
                                              • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA68
                                              • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA9E
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075BAA5
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075BB00
                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0075BB63
                                            • RegCloseKey.ADVAPI32(?,?), ref: 0075BBA6
                                            • RegCloseKey.ADVAPI32(00000000), ref: 0075BBB3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                            • String ID:
                                            • API String ID: 826366716-0
                                            • Opcode ID: 6d018a37206ca4c63a0d61ce5841cd133cadbff730644fd2756a29846960f23b
                                            • Instruction ID: 600d2c260b09e32b27a6b7555b8650f2cceb2eacb3074690977f666e6f2dee4a
                                            • Opcode Fuzzy Hash: 6d018a37206ca4c63a0d61ce5841cd133cadbff730644fd2756a29846960f23b
                                            • Instruction Fuzzy Hash: E861C271208241AFD314DF14C890E7ABBE5FF84308F14855DF8994B2A2DB75ED49CB92
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00738BCD
                                            • VariantClear.OLEAUT32 ref: 00738C3E
                                            • VariantClear.OLEAUT32 ref: 00738C9D
                                            • VariantClear.OLEAUT32(?), ref: 00738D10
                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00738D3B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$ChangeInitType
                                            • String ID:
                                            • API String ID: 4136290138-0
                                            • Opcode ID: 25e429a72c5b7b9c90e7bd36870cba5aaca216c79db604f05e0c12ef6b1927c7
                                            • Instruction ID: be83457bb7a87ba22a21e248b5ec7bf40c83c5ef64bd65d69e4e20c4e7dab463
                                            • Opcode Fuzzy Hash: 25e429a72c5b7b9c90e7bd36870cba5aaca216c79db604f05e0c12ef6b1927c7
                                            • Instruction Fuzzy Hash: 4A5148B5A00219AFDB10CF68C884AAABBF4FF8D310F158559F915DB350EB34E911CBA1
                                            APIs
                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00748BAE
                                            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00748BDA
                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00748C32
                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00748C57
                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00748C5F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: PrivateProfile$SectionWrite$String
                                            • String ID:
                                            • API String ID: 2832842796-0
                                            • Opcode ID: ab434d30c4c528d65920ab2ee6aed74cca38b16c89c0d684dd4b70491ba8745d
                                            • Instruction ID: 9635f52530465e3d0e3cafd6b59a35548ab925787677d3e6ba7d22bbe5ff217a
                                            • Opcode Fuzzy Hash: ab434d30c4c528d65920ab2ee6aed74cca38b16c89c0d684dd4b70491ba8745d
                                            • Instruction Fuzzy Hash: 67515D35A002199FCB45DF65C880E6DBBF6FF48314F088499E849AB362DB35ED41CBA5
                                            APIs
                                            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00758F40
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00758FD0
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00758FEC
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00759032
                                            • FreeLibrary.KERNEL32(00000000), ref: 00759052
                                              • Part of subcall function 006EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00741043,?,75B8E610), ref: 006EF6E6
                                              • Part of subcall function 006EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0072FA64,00000000,00000000,?,?,00741043,?,75B8E610,?,0072FA64), ref: 006EF70D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                            • String ID:
                                            • API String ID: 666041331-0
                                            • Opcode ID: 57a9ecce90e01b5e1216616bdd9693d8e421d65a591892b48d37a04d96ba8fe1
                                            • Instruction ID: a8a04b439705a8663272b93bcaafbaf0d1b033a4d8add5ab4e450daeb78476a7
                                            • Opcode Fuzzy Hash: 57a9ecce90e01b5e1216616bdd9693d8e421d65a591892b48d37a04d96ba8fe1
                                            • Instruction Fuzzy Hash: CA514A35A00205DFC745DF54C4948ADBBB1FF49315F088099ED0AAB3A2DB75ED89CB91
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free
                                            • String ID:
                                            • API String ID: 269201875-0
                                            • Opcode ID: 6c0e1822d327b044fbdbf4d48a394b482efa80c14e2a0fb46491e7511a580de6
                                            • Instruction ID: 717a3d38f3b0a76fd539a1934feb05e6fd1f8bc575b02f3d5dfe20c238920c3e
                                            • Opcode Fuzzy Hash: 6c0e1822d327b044fbdbf4d48a394b482efa80c14e2a0fb46491e7511a580de6
                                            • Instruction Fuzzy Hash: F5419333A00304DFCB24DF78C885A59B7E5EF89314F1546A9E615EB392DA35AD02CB91
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 006E9141
                                            • ScreenToClient.USER32(00000000,?), ref: 006E915E
                                            • GetAsyncKeyState.USER32(00000001), ref: 006E9183
                                            • GetAsyncKeyState.USER32(00000002), ref: 006E919D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: AsyncState$ClientCursorScreen
                                            • String ID:
                                            • API String ID: 4210589936-0
                                            • Opcode ID: 0eda5e36a253d7be3392cee5c6fe967064d7198722622a1ddbd248f0828bfc85
                                            • Instruction ID: 97797849ca386c7e494e2613036b4a0810a48c0de4450d8f71e1b2f226d17847
                                            • Opcode Fuzzy Hash: 0eda5e36a253d7be3392cee5c6fe967064d7198722622a1ddbd248f0828bfc85
                                            • Instruction Fuzzy Hash: A7416E3190861AFBDF199F65D848BEEB775FF45320F208219E429A6290C7345D50CB61
                                            APIs
                                            • GetInputState.USER32 ref: 007438CB
                                            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00743922
                                            • TranslateMessage.USER32(?), ref: 0074394B
                                            • DispatchMessageW.USER32(?), ref: 00743955
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00743966
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                            • String ID:
                                            • API String ID: 2256411358-0
                                            • Opcode ID: 0005dff570550ebaee44bd682dfb8308285f8a00ad567535cd06bb89597ac496
                                            • Instruction ID: b0e53533a439444c0e536f4926ee93769234d1a33d9765992d95d730e36d990f
                                            • Opcode Fuzzy Hash: 0005dff570550ebaee44bd682dfb8308285f8a00ad567535cd06bb89597ac496
                                            • Instruction Fuzzy Hash: AF31D9709043419EFB35CB349C48BB777A8AB46308F54856DD4AAC20A0E3FCB685CB25
                                            APIs
                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0074C21E,00000000), ref: 0074CF38
                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 0074CF6F
                                            • GetLastError.KERNEL32(?,00000000,?,?,?,0074C21E,00000000), ref: 0074CFB4
                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0074C21E,00000000), ref: 0074CFC8
                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0074C21E,00000000), ref: 0074CFF2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                            • String ID:
                                            • API String ID: 3191363074-0
                                            • Opcode ID: d13cc3a6850d49ec49818a75c86a2ff9923a88fd9b870b183d64e28268748e1d
                                            • Instruction ID: 27fa84bd04711c806bc02e1d4ad49df109c0b73f08f2853845a498e5b947c5cb
                                            • Opcode Fuzzy Hash: d13cc3a6850d49ec49818a75c86a2ff9923a88fd9b870b183d64e28268748e1d
                                            • Instruction Fuzzy Hash: 51317C72601305EFDB61DFA5C884AABBBF9EF14310B10842EF546D2101EB78AE459B60
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 00731915
                                            • PostMessageW.USER32(00000001,00000201,00000001), ref: 007319C1
                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 007319C9
                                            • PostMessageW.USER32(00000001,00000202,00000000), ref: 007319DA
                                            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 007319E2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessagePostSleep$RectWindow
                                            • String ID:
                                            • API String ID: 3382505437-0
                                            • Opcode ID: cceb56a4551262e3719a040504c5f4dc050b1b1d3e4e0923e453078d42f7cb51
                                            • Instruction ID: a5c205be8fb9ab9880f33f60ce73bd598c9f5e64d999ffce5ecbab432bc6bfd2
                                            • Opcode Fuzzy Hash: cceb56a4551262e3719a040504c5f4dc050b1b1d3e4e0923e453078d42f7cb51
                                            • Instruction Fuzzy Hash: 9631F471900259EFDB04CFA8CD99BEE3BB5EB04315F008225F962A72D1C7B4AD54CB90
                                            APIs
                                            • IsWindow.USER32(00000000), ref: 00750951
                                            • GetForegroundWindow.USER32 ref: 00750968
                                            • GetDC.USER32(00000000), ref: 007509A4
                                            • GetPixel.GDI32(00000000,?,00000003), ref: 007509B0
                                            • ReleaseDC.USER32(00000000,00000003), ref: 007509E8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$ForegroundPixelRelease
                                            • String ID:
                                            • API String ID: 4156661090-0
                                            • Opcode ID: 70265cd338f37e37eddcc7679fc4e11f12472575aa2801272c9e6592f91a0fa0
                                            • Instruction ID: 2fb4971eca20e1512e629438959a9b3dce577d6958720b4a98b43d46169058c9
                                            • Opcode Fuzzy Hash: 70265cd338f37e37eddcc7679fc4e11f12472575aa2801272c9e6592f91a0fa0
                                            • Instruction Fuzzy Hash: D1216F39A00214AFD704EF69D888AAEBBE5EF44701F04806DE84A97352DBB4AC44CB94
                                            APIs
                                            • GetEnvironmentStringsW.KERNEL32 ref: 0070CDC6
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0070CDE9
                                              • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0070CE0F
                                            • _free.LIBCMT ref: 0070CE22
                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0070CE31
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                            • String ID:
                                            • API String ID: 336800556-0
                                            • Opcode ID: bc334f34cb0823fc2148986ec011a0f0ab30fc053e480e935293b7c0b2a16d41
                                            • Instruction ID: 1d8b40084f448f41674e7b876d3f22ed77bb306853f5ff899252e2e348ffdd65
                                            • Opcode Fuzzy Hash: bc334f34cb0823fc2148986ec011a0f0ab30fc053e480e935293b7c0b2a16d41
                                            • Instruction Fuzzy Hash: 8701B1B2601215FFA32327B6EC8CC7B79ADDAC6BA1315432DFD05C6281EA688D0191B4
                                            APIs
                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E9693
                                            • SelectObject.GDI32(?,00000000), ref: 006E96A2
                                            • BeginPath.GDI32(?), ref: 006E96B9
                                            • SelectObject.GDI32(?,00000000), ref: 006E96E2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ObjectSelect$BeginCreatePath
                                            • String ID:
                                            • API String ID: 3225163088-0
                                            • Opcode ID: 46c29ee6f40aae3392edb36b7141924725b29e81600343922eb0383382c791a5
                                            • Instruction ID: 6c299a65f9e98662d87077cd5ab1a609d993ca6e2346c04ad1c3d9eb647e117b
                                            • Opcode Fuzzy Hash: 46c29ee6f40aae3392edb36b7141924725b29e81600343922eb0383382c791a5
                                            • Instruction Fuzzy Hash: AD2183708023C5EBFB119F25EC147EA3B66BF82355F508216F411961B1D3786991CFA9
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _memcmp
                                            • String ID:
                                            • API String ID: 2931989736-0
                                            • Opcode ID: 3f2e4c3d88e27bb5e2191a8f1a103aad459d26c6ac221e37f1ba69efa9c3e274
                                            • Instruction ID: 84c72cc5346b14f715b544cfe7a9be39fc60dda1a4d372a90a0027f9fc4f0163
                                            • Opcode Fuzzy Hash: 3f2e4c3d88e27bb5e2191a8f1a103aad459d26c6ac221e37f1ba69efa9c3e274
                                            • Instruction Fuzzy Hash: 5401B5A2645A09FBF2085520AD92FBB735E9B32394F414024FE099E242FB69ED10C2F4
                                            APIs
                                            • GetLastError.KERNEL32(?,?,?,006FF2DE,00703863,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6), ref: 00702DFD
                                            • _free.LIBCMT ref: 00702E32
                                            • _free.LIBCMT ref: 00702E59
                                            • SetLastError.KERNEL32(00000000,006D1129), ref: 00702E66
                                            • SetLastError.KERNEL32(00000000,006D1129), ref: 00702E6F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_free
                                            • String ID:
                                            • API String ID: 3170660625-0
                                            • Opcode ID: e4f7ef0963664a22b3dc2eb0b91ef8cd22e1c1fe56b1f2ea9e8c1035e29cb44f
                                            • Instruction ID: 23a8940158230e5a544c661bef658b9bda3e0af1a0b4cbfbac2a79d429bece7a
                                            • Opcode Fuzzy Hash: e4f7ef0963664a22b3dc2eb0b91ef8cd22e1c1fe56b1f2ea9e8c1035e29cb44f
                                            • Instruction Fuzzy Hash: 9B01F977285600E7C6137735AC4ED2B26DDABD17A57214725F455A22E3EA6C8C034128
                                            APIs
                                            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?,?,0073035E), ref: 0073002B
                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730046
                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730054
                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?), ref: 00730064
                                            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730070
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                            • String ID:
                                            • API String ID: 3897988419-0
                                            • Opcode ID: ad108b04b3712494612fabfd14a396811699769d10f30725add0bfaeb86995a9
                                            • Instruction ID: b84704426ecc6dbb9d9d7129f51ee4371e21350b2523666cc00bd2b7fd2cb62b
                                            • Opcode Fuzzy Hash: ad108b04b3712494612fabfd14a396811699769d10f30725add0bfaeb86995a9
                                            • Instruction Fuzzy Hash: FA01DF76600309BFEB214F68DC48BBA7AADEB44751F108024F846D7211D7B8CD009BA0
                                            APIs
                                            • QueryPerformanceCounter.KERNEL32(?), ref: 0073E997
                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 0073E9A5
                                            • Sleep.KERNEL32(00000000), ref: 0073E9AD
                                            • QueryPerformanceCounter.KERNEL32(?), ref: 0073E9B7
                                            • Sleep.KERNEL32 ref: 0073E9F3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                            • String ID:
                                            • API String ID: 2833360925-0
                                            • Opcode ID: a062e0d54be5c442c9925c6900f1223f570fe923241d70a759d714fcdf92453e
                                            • Instruction ID: bc16ca5fbcbd681ea97c12ba5cb0701679c4cc1ded00a66a9ac2e129a9a9d960
                                            • Opcode Fuzzy Hash: a062e0d54be5c442c9925c6900f1223f570fe923241d70a759d714fcdf92453e
                                            • Instruction Fuzzy Hash: ED015B71C0162DDBDF04ABE4DC596EDBB78BB09301F004546E542B2282DB78A5518766
                                            APIs
                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00731114
                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731120
                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 0073112F
                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731136
                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073114D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 842720411-0
                                            • Opcode ID: c52cb0ed7f343c6512b2faf2172b676ec72e470ff92063741e0a04a29604aee3
                                            • Instruction ID: 751f16a0af8128da62e7db3c9bcc28e4ff0baaa9f0ede3369ee2036e6d6e3743
                                            • Opcode Fuzzy Hash: c52cb0ed7f343c6512b2faf2172b676ec72e470ff92063741e0a04a29604aee3
                                            • Instruction Fuzzy Hash: F20181B5200309BFEB124F69DC49EAA3F6EEF85360F104414FA86C3350DB75DC008A60
                                            APIs
                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00730FCA
                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00730FD6
                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00730FE5
                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00730FEC
                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00731002
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 44706859-0
                                            • Opcode ID: c0d5c37e8ee2e9bfba0e9ba87dbd487c5b454c2fe7ad603b557ca32c83a549b6
                                            • Instruction ID: 08779c8ab0c7360a32ca40ba0f0f60029bda0de70560245c4b9f817a8ac8b736
                                            • Opcode Fuzzy Hash: c0d5c37e8ee2e9bfba0e9ba87dbd487c5b454c2fe7ad603b557ca32c83a549b6
                                            • Instruction Fuzzy Hash: 66F06275200305FBD7264FA5DC4DF663B6DEF8A761F508414F986D7251CAB9DC408A60
                                            APIs
                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0073102A
                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00731036
                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731045
                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0073104C
                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731062
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 44706859-0
                                            • Opcode ID: 0f81a31bd8689fa68dc575c3425c8eeb05d34f62aca6fce8d24d84c54243a275
                                            • Instruction ID: c09f3ef9309ede120a19be1d42a9c14f587dbe8ba1e0c1e8c06833329bc06974
                                            • Opcode Fuzzy Hash: 0f81a31bd8689fa68dc575c3425c8eeb05d34f62aca6fce8d24d84c54243a275
                                            • Instruction Fuzzy Hash: 2DF0CD75300305FBEB221FA5EC49F663BADEF8A761F104414FA86D7251CAB9DC408A60
                                            APIs
                                            • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740324
                                            • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740331
                                            • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 0074033E
                                            • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 0074034B
                                            • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740358
                                            • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740365
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: dabc9760f0d1e328b93be0c955742ab23f928549967abec637c6dfb23f06a861
                                            • Instruction ID: 3f6611560d59635a3a03326f2c90280cac5449067e5e6fd0d641e1f9ee46be24
                                            • Opcode Fuzzy Hash: dabc9760f0d1e328b93be0c955742ab23f928549967abec637c6dfb23f06a861
                                            • Instruction Fuzzy Hash: 6001AA72800B159FCB30AF66D890812FBF9BF603153168A3FD29652931C3B5A998CF80
                                            APIs
                                            • _free.LIBCMT ref: 0070D752
                                              • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                              • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                            • _free.LIBCMT ref: 0070D764
                                            • _free.LIBCMT ref: 0070D776
                                            • _free.LIBCMT ref: 0070D788
                                            • _free.LIBCMT ref: 0070D79A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 05bd93dfe6b6ff00b926000bcb69be2d69dab3930f38094c9fab66d70934ceeb
                                            • Instruction ID: 9dee420b74a19c28a0cf68e3014b8fe77ed44d2d56ce4267b9c84261ee963315
                                            • Opcode Fuzzy Hash: 05bd93dfe6b6ff00b926000bcb69be2d69dab3930f38094c9fab66d70934ceeb
                                            • Instruction Fuzzy Hash: 85F0FF33554304EBCA22EBA8F9CAC1677DDBB447107A55A06F048E7592C72CFC818AA4
                                            APIs
                                            • _free.LIBCMT ref: 007022BE
                                              • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                              • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                            • _free.LIBCMT ref: 007022D0
                                            • _free.LIBCMT ref: 007022E3
                                            • _free.LIBCMT ref: 007022F4
                                            • _free.LIBCMT ref: 00702305
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: fcda286688f572c2476941eec2ee46e91bee4a3a2c3b8cdbb08364ee3692b88e
                                            • Instruction ID: 538939280bcdae49d0ffc4aac9c2f3564cc9ef2b9bbf295d0578a20915657fd0
                                            • Opcode Fuzzy Hash: fcda286688f572c2476941eec2ee46e91bee4a3a2c3b8cdbb08364ee3692b88e
                                            • Instruction Fuzzy Hash: A0F01D76520110CFCA12AF54BC099483AA4B75A750B918607F410E22F2C73C58129EEC
                                            APIs
                                            • EndPath.GDI32(?), ref: 006E95D4
                                            • StrokeAndFillPath.GDI32(?,?,007271F7,00000000,?,?,?), ref: 006E95F0
                                            • SelectObject.GDI32(?,00000000), ref: 006E9603
                                            • DeleteObject.GDI32 ref: 006E9616
                                            • StrokePath.GDI32(?), ref: 006E9631
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                            • String ID:
                                            • API String ID: 2625713937-0
                                            • Opcode ID: 854d9afc285e5aeb5706be3b855f6f29f0a8b6c6dc84535a4e252d34981f427e
                                            • Instruction ID: b5ce68a412ee71cd8e1b9f91f7f512db826cc82eeeb8c7a37272f2fdb649e6c5
                                            • Opcode Fuzzy Hash: 854d9afc285e5aeb5706be3b855f6f29f0a8b6c6dc84535a4e252d34981f427e
                                            • Instruction Fuzzy Hash: 07F08C30006388EBEB165F26EC1C7B63B62AB82322F40C215F466561F0C7789995CF29
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: __freea$_free
                                            • String ID: a/p$am/pm
                                            • API String ID: 3432400110-3206640213
                                            • Opcode ID: 8f9228bec59e0be2e21d2c6cf12a834855b76cb223000d622c16db28d5693851
                                            • Instruction ID: f59501ca3bff1eb1902d25173fea9d3145c05ce0c0111ec3d89762ef91c33f08
                                            • Opcode Fuzzy Hash: 8f9228bec59e0be2e21d2c6cf12a834855b76cb223000d622c16db28d5693851
                                            • Instruction Fuzzy Hash: 28D1E231A00206DADB289F68C895BFAB7F5FF06300FA44359E9419BAD1D77D9D80CB91
                                            APIs
                                              • Part of subcall function 006F0242: EnterCriticalSection.KERNEL32(007A070C,007A1884,?,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F024D
                                              • Part of subcall function 006F0242: LeaveCriticalSection.KERNEL32(007A070C,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F028A
                                              • Part of subcall function 006F00A3: __onexit.LIBCMT ref: 006F00A9
                                            • __Init_thread_footer.LIBCMT ref: 00756238
                                              • Part of subcall function 006F01F8: EnterCriticalSection.KERNEL32(007A070C,?,?,006E8747,007A2514), ref: 006F0202
                                              • Part of subcall function 006F01F8: LeaveCriticalSection.KERNEL32(007A070C,?,006E8747,007A2514), ref: 006F0235
                                              • Part of subcall function 0074359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007435E4
                                              • Part of subcall function 0074359C: LoadStringW.USER32(007A2390,?,00000FFF,?), ref: 0074360A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                            • String ID: x#z$x#z$x#z
                                            • API String ID: 1072379062-95117334
                                            • Opcode ID: 94c97292bad7c5911cd16186491e90058c62120eed4160ca8329e0f504b8cb5e
                                            • Instruction ID: 8b1edf8fdd13303a947bf98e78c5fdfb1ed04b986ba59170ab6b6999fc18f95c
                                            • Opcode Fuzzy Hash: 94c97292bad7c5911cd16186491e90058c62120eed4160ca8329e0f504b8cb5e
                                            • Instruction Fuzzy Hash: 03C17C71A00209ABDB14DF58C890EFEB7BAFF49310F508069F9059B251DBB9ED59CB90
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00708B6E
                                            • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00708B7A
                                            • __dosmaperr.LIBCMT ref: 00708B81
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                            • String ID: .o
                                            • API String ID: 2434981716-1957372423
                                            • Opcode ID: 27bc20ebc43ff8967df9d345e5f475be9bad67234389b4f5184bf7201c28b367
                                            • Instruction ID: 4b8cc92f4234fc1a2cf0ba61a188741f996c605d07aa566b67c6004a077d3e88
                                            • Opcode Fuzzy Hash: 27bc20ebc43ff8967df9d345e5f475be9bad67234389b4f5184bf7201c28b367
                                            • Instruction Fuzzy Hash: AF418CF0604155EFCB659F64C880A7D7FE6DF86304B2887A9F4C587682DE398C028795
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\v3tK92KcJV.exe,00000104), ref: 00701769
                                            • _free.LIBCMT ref: 00701834
                                            • _free.LIBCMT ref: 0070183E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free$FileModuleName
                                            • String ID: C:\Users\user\Desktop\v3tK92KcJV.exe
                                            • API String ID: 2506810119-1868549384
                                            • Opcode ID: 8f219d75a4ff58c022a9be24b0c004762cd65d40b0b89a7f3044198a0faba532
                                            • Instruction ID: 6a91dd4f0997c32a4051d17be47ffe5fb5802b1ed42516ec18b0040fd737edcd
                                            • Opcode Fuzzy Hash: 8f219d75a4ff58c022a9be24b0c004762cd65d40b0b89a7f3044198a0faba532
                                            • Instruction Fuzzy Hash: 93318F75A00218EFDB21DF999885D9EBBFCEB85320F948266F50497291D6B88E40CB90
                                            APIs
                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0073C306
                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 0073C34C
                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007A1990,01085688), ref: 0073C395
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Menu$Delete$InfoItem
                                            • String ID: 0
                                            • API String ID: 135850232-4108050209
                                            • Opcode ID: 0aed95ff483f9672e61020b49c67e7d57b4b147433279959c10424b1bdf85d69
                                            • Instruction ID: 52404b56cc1800c8b4f3a20fb988fd5bce5d133b8ad8112c27d4d6a937269518
                                            • Opcode Fuzzy Hash: 0aed95ff483f9672e61020b49c67e7d57b4b147433279959c10424b1bdf85d69
                                            • Instruction Fuzzy Hash: 6A41B1312043019FE721DF24D885B2ABBE4AF85310F10861DF9A6A72D2D778E904CB63
                                            APIs
                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0076CC08,00000000,?,?,?,?), ref: 007644AA
                                            • GetWindowLongW.USER32 ref: 007644C7
                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007644D7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$Long
                                            • String ID: SysTreeView32
                                            • API String ID: 847901565-1698111956
                                            • Opcode ID: 7708319bc41d90098ebf21d0d9d63f8a695fc6c4473551456fb7d89b8a62e06e
                                            • Instruction ID: bbcbfaec3b4b626f7807ba028c04e00a1d52810532d0e072372c81a13214ff0f
                                            • Opcode Fuzzy Hash: 7708319bc41d90098ebf21d0d9d63f8a695fc6c4473551456fb7d89b8a62e06e
                                            • Instruction Fuzzy Hash: 5231B031210245AFDF218E38DC46BEA7BA9EB09334F204319FD76A21D1DB78EC609B54
                                            APIs
                                            • SysReAllocString.OLEAUT32(?,?), ref: 00736EED
                                            • VariantCopyInd.OLEAUT32(?,?), ref: 00736F08
                                            • VariantClear.OLEAUT32(?), ref: 00736F12
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Variant$AllocClearCopyString
                                            • String ID: *js
                                            • API String ID: 2173805711-2626009487
                                            • Opcode ID: 0d75b4065e026734700bb5360326a6fc620bdca79412f94b3b0d024d0dbca17e
                                            • Instruction ID: 48b268d46495c9335c4d7145dbfba7f0ec4550f085271a6b035fd0b0a9ba48e8
                                            • Opcode Fuzzy Hash: 0d75b4065e026734700bb5360326a6fc620bdca79412f94b3b0d024d0dbca17e
                                            • Instruction Fuzzy Hash: AE31D371A04246EFDB05AF64E8509BD3776FF40700F108499F8065B3A2CB389911DBD8
                                            APIs
                                              • Part of subcall function 0075335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00753077,?,?), ref: 00753378
                                            • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0075307A
                                            • _wcslen.LIBCMT ref: 0075309B
                                            • htons.WSOCK32(00000000,?,?,00000000), ref: 00753106
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                            • String ID: 255.255.255.255
                                            • API String ID: 946324512-2422070025
                                            • Opcode ID: cfd413a5f80bfbf8e6e48fe0957819c9fc4c5206f30d1741d1fc8c6a4cbcaa3b
                                            • Instruction ID: 8bae0f3703246e86e44192611dcd425c063d6304dd19da8dd8a0a0903365b90a
                                            • Opcode Fuzzy Hash: cfd413a5f80bfbf8e6e48fe0957819c9fc4c5206f30d1741d1fc8c6a4cbcaa3b
                                            • Instruction Fuzzy Hash: 5231D2356007099FCB20CF28C485EAA77E1EF14395F248059EC198B3A2DBBADE49C760
                                            APIs
                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00764705
                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00764713
                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0076471A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$DestroyWindow
                                            • String ID: msctls_updown32
                                            • API String ID: 4014797782-2298589950
                                            • Opcode ID: d10cfbd617b68d94fc6a4d53ba685a82c9c26ccafe010753bbbc337ba23c418a
                                            • Instruction ID: 40424fa5bee75a807e35ada9b944006c78102cbdb22b627ac0217f90d27794e9
                                            • Opcode Fuzzy Hash: d10cfbd617b68d94fc6a4d53ba685a82c9c26ccafe010753bbbc337ba23c418a
                                            • Instruction Fuzzy Hash: 35216DB5600209AFEB11DF68DCD1DB737ADEF9A3A4B044059FA019B3A1CB74EC51CA64
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen
                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                            • API String ID: 176396367-2734436370
                                            • Opcode ID: 341d4ebc4cf6c3a7107fb48d473ba2cfae023cfe181247e31d2205b037a9bea4
                                            • Instruction ID: bacd86d3e858ff6217c0d82db2bb9a88c992e1bca43e5efbfd00c3a4e5fc0e14
                                            • Opcode Fuzzy Hash: 341d4ebc4cf6c3a7107fb48d473ba2cfae023cfe181247e31d2205b037a9bea4
                                            • Instruction Fuzzy Hash: 1A215BB2205610A6E331AB249C03FB773D99F51300F50402AFB4A97183FBD9AD95C2E9
                                            APIs
                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00763840
                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00763850
                                            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00763876
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$MoveWindow
                                            • String ID: Listbox
                                            • API String ID: 3315199576-2633736733
                                            • Opcode ID: b004571a43074dd32b4e269973127eea57797e16da87a1466730505667b9d28c
                                            • Instruction ID: fe75e9871b3483d1eb68118384b131939731943502bf08d5ebff0116ac817b3f
                                            • Opcode Fuzzy Hash: b004571a43074dd32b4e269973127eea57797e16da87a1466730505667b9d28c
                                            • Instruction Fuzzy Hash: 2421BE72610219BBEF218F54DC85EBB376AEF89760F108124F9069B190C6B9DC52CBA0
                                            APIs
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00732258
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0073228A
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007322CA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$_wcslen
                                            • String ID: @U=u
                                            • API String ID: 763830540-2594219639
                                            • Opcode ID: b6b459299b571e44432a1668869c158e8bb47d60d3a550f69b16db156abcdaaa
                                            • Instruction ID: 40b118476aa750d0d55a4bb805839c6041fd0ecb9685961bebf48e32e0398b51
                                            • Opcode Fuzzy Hash: b6b459299b571e44432a1668869c158e8bb47d60d3a550f69b16db156abcdaaa
                                            • Instruction Fuzzy Hash: D821AA71700214ABEB119B54CD49EFE3BA9EB59710F048025FA06D7243D7B89D4687A6
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00744A08
                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00744A5C
                                            • SetErrorMode.KERNEL32(00000000,?,?,0076CC08), ref: 00744AD0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorMode$InformationVolume
                                            • String ID: %lu
                                            • API String ID: 2507767853-685833217
                                            • Opcode ID: 88736f01990f067338aa17dcad6507fa95d52dec8dbb1bdd453ad98407896521
                                            • Instruction ID: 1d7f42c9a69ce4f66b0bef81adf5ff38ef5defd6926affee26270bb8a5724b4b
                                            • Opcode Fuzzy Hash: 88736f01990f067338aa17dcad6507fa95d52dec8dbb1bdd453ad98407896521
                                            • Instruction Fuzzy Hash: 80318571A00208AFDB51DF54C885EAA77F9EF05304F148099F905DB352DB75ED45CB61
                                            APIs
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00731B4F
                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00731B61
                                            • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00731B99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: d69876b64e48ee61f4567833916009dbd98dd67ee49823f9ae2dc2ec1b044644
                                            • Instruction ID: a4279da5e6a0ea42444ae911ca28052894a5155d34d6ac57c5d441fce5a30bf6
                                            • Opcode Fuzzy Hash: d69876b64e48ee61f4567833916009dbd98dd67ee49823f9ae2dc2ec1b044644
                                            • Instruction Fuzzy Hash: BA21A572600219BFEF15DB99C841DAEF7FEEF44340F1004AAE145E3295EA75AE40CB98
                                            APIs
                                            • SendMessageW.USER32(00000402,00000000,00000000), ref: 00750D24
                                            • SendMessageW.USER32(0000000C,00000000,?), ref: 00750D65
                                            • SendMessageW.USER32(0000000C,00000000,?), ref: 00750D8D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: 49a9286b849c29cd8acae3b4c332ce2dea0bf079e5a01449502368c5c3d4befd
                                            • Instruction ID: 2b4b8e8bb01a310ef7e90e5c2023515c310c9cb2d00b35b552e6aa2d618e7608
                                            • Opcode Fuzzy Hash: 49a9286b849c29cd8acae3b4c332ce2dea0bf079e5a01449502368c5c3d4befd
                                            • Instruction Fuzzy Hash: D1217435200601AFEB10EF24E981D6AB3E6FB0A310B418959EC198B661DBA4BC00CB89
                                            APIs
                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0076424F
                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00764264
                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00764271
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: msctls_trackbar32
                                            • API String ID: 3850602802-1010561917
                                            • Opcode ID: 9fe7f0ae9ccfb68a6981fc619dc13063b80447185b742a9ec04703c2eb000e94
                                            • Instruction ID: 7bbe609f8ab5cf53e598c2bb5e16c284671f850ee0946b5a394f54dbaeea9766
                                            • Opcode Fuzzy Hash: 9fe7f0ae9ccfb68a6981fc619dc13063b80447185b742a9ec04703c2eb000e94
                                            • Instruction Fuzzy Hash: 1F110631240208BEEF205F29CC46FAB3BACFF85B64F110114FE56E2090D2B5DC519B14
                                            APIs
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                              • Part of subcall function 00732DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00732DC5
                                              • Part of subcall function 00732DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00732DD6
                                              • Part of subcall function 00732DA7: GetCurrentThreadId.KERNEL32 ref: 00732DDD
                                              • Part of subcall function 00732DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00732DE4
                                            • GetFocus.USER32 ref: 00732F78
                                              • Part of subcall function 00732DEE: GetParent.USER32(00000000), ref: 00732DF9
                                            • GetClassNameW.USER32(?,?,00000100), ref: 00732FC3
                                            • EnumChildWindows.USER32(?,0073303B), ref: 00732FEB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                            • String ID: %s%d
                                            • API String ID: 1272988791-1110647743
                                            • Opcode ID: e0d4445714e65765eae1686e579efbb935125b4d1a08040e2304c7c25f187dfe
                                            • Instruction ID: 887d09f186c8bce824e969f4d3c776e8500d7e885fe8050e7939366c038ca45e
                                            • Opcode Fuzzy Hash: e0d4445714e65765eae1686e579efbb935125b4d1a08040e2304c7c25f187dfe
                                            • Instruction Fuzzy Hash: AD11A271700205ABEF557F60CC89EFD376AAF84304F04807AF9099B253DE7999468B74
                                            APIs
                                            • GetWindowTextLengthW.USER32(00000000), ref: 007634AB
                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007634BA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LengthMessageSendTextWindow
                                            • String ID: @U=u$edit
                                            • API String ID: 2978978980-590756393
                                            • Opcode ID: 559d64c93edb163c6a708ed535b0a48eb677e41e237ca7eb311fac5ad25c8fe7
                                            • Instruction ID: 9fb7c6079535bb392dd25087fbc61fb171528b6c80150ee07aec7863c1f1da1e
                                            • Opcode Fuzzy Hash: 559d64c93edb163c6a708ed535b0a48eb677e41e237ca7eb311fac5ad25c8fe7
                                            • Instruction Fuzzy Hash: 67118F71500248ABEB128E64DC44ABB7B6AEF05374F504324FD62931E0CB79DC55D754
                                            APIs
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                              • Part of subcall function 00733CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00733CCA
                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00731C46
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameSend_wcslen
                                            • String ID: @U=u$ComboBox$ListBox
                                            • API String ID: 624084870-2258501812
                                            • Opcode ID: 62033c9b61dabb5e675a745da89209886e9d980bb17c98cd766979a6c4651087
                                            • Instruction ID: ce2ed5b33887f172cb3ee2702713faf09f5a97b6cbc0ff6224d0102d0443231d
                                            • Opcode Fuzzy Hash: 62033c9b61dabb5e675a745da89209886e9d980bb17c98cd766979a6c4651087
                                            • Instruction Fuzzy Hash: 0901F7B1B8010466DF18EBA0D951DFF73A89B11340F50141AB416632C2EA289E0887B5
                                            APIs
                                            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007658C1
                                            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007658EE
                                            • DrawMenuBar.USER32(?), ref: 007658FD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Menu$InfoItem$Draw
                                            • String ID: 0
                                            • API String ID: 3227129158-4108050209
                                            • Opcode ID: 8c72ce0a9f0fc45bf0471c13ff757e270364155b042fc7809fe66c4a763fa590
                                            • Instruction ID: bb8d798c7b42eb1189047f17ec5f305e0f0b15b759f413a5ea120edbeda8dd64
                                            • Opcode Fuzzy Hash: 8c72ce0a9f0fc45bf0471c13ff757e270364155b042fc7809fe66c4a763fa590
                                            • Instruction Fuzzy Hash: 02018B31500348EFDB219F11DC44BAEBBB5FB45360F108099E88AD6151DB74AA94EF24
                                            APIs
                                            • GetForegroundWindow.USER32(?,007A18B0,0076A364,000000FC,?,00000000,00000000,?,?,?,007276CF,?,?,?,?,?), ref: 00767805
                                            • GetFocus.USER32 ref: 0076780D
                                              • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                              • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
                                            • SendMessageW.USER32(0108E7F0,000000B0,000001BC,000001C0), ref: 0076787A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$Long$FocusForegroundMessageSend
                                            • String ID: @U=u
                                            • API String ID: 3601265619-2594219639
                                            • Opcode ID: 4364c3c4d7245cf1a1d7a0d4b3526f7e4fb86361f31100554176bbcc4fdd1018
                                            • Instruction ID: d1b56f8a22f5fbeaccf1ffd7c9f65264b86ff1dd879a0062a08c8adf41bbd256
                                            • Opcode Fuzzy Hash: 4364c3c4d7245cf1a1d7a0d4b3526f7e4fb86361f31100554176bbcc4fdd1018
                                            • Instruction Fuzzy Hash: BB01A7355062418FD329DB28DC58AB633E6EFCA364F1842ADE456872A1CB796C06CF54
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8253753b864a3daf44eb555188ef87f633ac7682bed257e6c910e5f3f7479465
                                            • Instruction ID: cdca53d831ec80b7a9a20f072e284b40d4f6bed1f333797430e0f4dfafa3a108
                                            • Opcode Fuzzy Hash: 8253753b864a3daf44eb555188ef87f633ac7682bed257e6c910e5f3f7479465
                                            • Instruction Fuzzy Hash: 93C17C75A0020AEFEB14CFA4C8A8EAEB7B5FF48714F108598E505EB252D735ED41DB90
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInitInitializeUninitialize
                                            • String ID:
                                            • API String ID: 1998397398-0
                                            • Opcode ID: 3c797e3134306c09a8fe332146ff964e4a4719a0df5244d677baa0b12027594a
                                            • Instruction ID: ab110ab4ba726a20137004dbefb56dde8aaae6da419b3913df00796c443cd1d3
                                            • Opcode Fuzzy Hash: 3c797e3134306c09a8fe332146ff964e4a4719a0df5244d677baa0b12027594a
                                            • Instruction Fuzzy Hash: 32A156756042009FC700DF28C485A6AB7E6EF88351F04895DFD8A9B362EB74EE05CB96
                                            APIs
                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0076FC08,?), ref: 007305F0
                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0076FC08,?), ref: 00730608
                                            • CLSIDFromProgID.OLE32(?,?,00000000,0076CC40,000000FF,?,00000000,00000800,00000000,?,0076FC08,?), ref: 0073062D
                                            • _memcmp.LIBVCRUNTIME ref: 0073064E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FromProg$FreeTask_memcmp
                                            • String ID:
                                            • API String ID: 314563124-0
                                            • Opcode ID: 51b789e23a84144422b5f9bab7c606f772b1a5cbeae1182c56737177ce12baba
                                            • Instruction ID: 14643ad8cec9f014846410a42d0494bb1c4970297969af7c41aacff3403e02b6
                                            • Opcode Fuzzy Hash: 51b789e23a84144422b5f9bab7c606f772b1a5cbeae1182c56737177ce12baba
                                            • Instruction Fuzzy Hash: 7B815C71A00109EFDB04DF94C994EEEB7B9FF89315F204198F506AB251DB75AE06CBA0
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _free
                                            • String ID:
                                            • API String ID: 269201875-0
                                            • Opcode ID: ac7449862de37793cccf28df96c29ee6b0aad95c3aecc1afc115ba5fd4e0f20b
                                            • Instruction ID: 9ded31d98f96b9f742e07b3129599e4eab34caeb44a677261bc3a00c9c359610
                                            • Opcode Fuzzy Hash: ac7449862de37793cccf28df96c29ee6b0aad95c3aecc1afc115ba5fd4e0f20b
                                            • Instruction Fuzzy Hash: 56415C31600144EBDB216BFC8C4AAFE3AE6EF41770F544225FF19DA1D2E63C89819762
                                            APIs
                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00751AFD
                                            • WSAGetLastError.WSOCK32 ref: 00751B0B
                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00751B8A
                                            • WSAGetLastError.WSOCK32 ref: 00751B94
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorLast$socket
                                            • String ID:
                                            • API String ID: 1881357543-0
                                            • Opcode ID: ad3b0f5c909d3c1e1f100733a746601fd1c737184abaafb267c9ac0fdb7eec95
                                            • Instruction ID: 974422cc96980774a948dfe48d44aac70c5fddf3f9d891e5f38b70e175fb0813
                                            • Opcode Fuzzy Hash: ad3b0f5c909d3c1e1f100733a746601fd1c737184abaafb267c9ac0fdb7eec95
                                            • Instruction Fuzzy Hash: 8A41B074600300AFE720AF24C886F6977E6AB44719F94844CF95A9F3D2D7B6DD41CB94
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a75bd3f182b5957677229351e99e0d151c9eae01ddabc56e3d296ac9727fda2b
                                            • Instruction ID: 17a4a0bf45e9cb12e9dbdb3e74fc3dfbb8614981e19d07e14129025cefb7a297
                                            • Opcode Fuzzy Hash: a75bd3f182b5957677229351e99e0d151c9eae01ddabc56e3d296ac9727fda2b
                                            • Instruction Fuzzy Hash: 3241E672A00344EFD7249F78CC45BAABBE9EF88710F10466AF145DB2C2D779AB418780
                                            APIs
                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00745783
                                            • GetLastError.KERNEL32(?,00000000), ref: 007457A9
                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007457CE
                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007457FA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                            • String ID:
                                            • API String ID: 3321077145-0
                                            • Opcode ID: e4db08bf0b2bc42a7938af6c4ff62fc4d237c67751838d6469f675acbbfd2f1d
                                            • Instruction ID: 19d179772c79151587568ab2db40ac119efc8d2c874f9c7610a2558297df6b0c
                                            • Opcode Fuzzy Hash: e4db08bf0b2bc42a7938af6c4ff62fc4d237c67751838d6469f675acbbfd2f1d
                                            • Instruction Fuzzy Hash: 1F413B39600611DFCB11EF15C444A5EBBE2EF89720B19C489EC4AAB362DB34FD00CB96
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,006F6D71,00000000,00000000,006F82D9,?,006F82D9,?,00000001,006F6D71,?,00000001,006F82D9,006F82D9), ref: 0070D910
                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0070D999
                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0070D9AB
                                            • __freea.LIBCMT ref: 0070D9B4
                                              • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                            • String ID:
                                            • API String ID: 2652629310-0
                                            • Opcode ID: b476851f3a4df5968cb5d86068522fa21d12f590d995bad01b374c44a84a9b51
                                            • Instruction ID: c1b40e17bcf029e3c4a033e22c42b00e08f0d2232240b6c3c6f0f950d9e275fc
                                            • Opcode Fuzzy Hash: b476851f3a4df5968cb5d86068522fa21d12f590d995bad01b374c44a84a9b51
                                            • Instruction Fuzzy Hash: 9931AB72A1020AEBDF25DFA5DC45EAE7BE5EB41310B054268FC05D6291EB39ED50CBA0
                                            APIs
                                            • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 0073ABF1
                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 0073AC0D
                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 0073AC74
                                            • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 0073ACC6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: KeyboardState$InputMessagePostSend
                                            • String ID:
                                            • API String ID: 432972143-0
                                            • Opcode ID: b12347610f4bfd827f86380e5de31e703913f6a021e043e15321e306ae1e54c6
                                            • Instruction ID: 4b7b3b1ac9315c5ddcbe1a6d3e6fb4fa1a44309f0cfef13c5712f65b20f4a8fd
                                            • Opcode Fuzzy Hash: b12347610f4bfd827f86380e5de31e703913f6a021e043e15321e306ae1e54c6
                                            • Instruction Fuzzy Hash: EF311631A44318BFFB258B65CC0A7FABBA5AB45310F08621AE4C1521D2C37D8D818776
                                            APIs
                                            • ClientToScreen.USER32(?,?), ref: 0076769A
                                            • GetWindowRect.USER32(?,?), ref: 00767710
                                            • PtInRect.USER32(?,?,00768B89), ref: 00767720
                                            • MessageBeep.USER32(00000000), ref: 0076778C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Rect$BeepClientMessageScreenWindow
                                            • String ID:
                                            • API String ID: 1352109105-0
                                            • Opcode ID: a71a00106a43d1d5bf74f2ca9466bbef521f587560e85d651f8a231fb5b32f29
                                            • Instruction ID: a162db6af1d08b6b5ce15c8300c3bf2b3e68ffba855fc64720179607831c32cf
                                            • Opcode Fuzzy Hash: a71a00106a43d1d5bf74f2ca9466bbef521f587560e85d651f8a231fb5b32f29
                                            • Instruction Fuzzy Hash: A441BF34605254DFDB09CF58C894EA977F4FF49398F5580A8E8169B261D738E941CF90
                                            APIs
                                            • GetForegroundWindow.USER32 ref: 007616EB
                                              • Part of subcall function 00733A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733A57
                                              • Part of subcall function 00733A3D: GetCurrentThreadId.KERNEL32 ref: 00733A5E
                                              • Part of subcall function 00733A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007325B3), ref: 00733A65
                                            • GetCaretPos.USER32(?), ref: 007616FF
                                            • ClientToScreen.USER32(00000000,?), ref: 0076174C
                                            • GetForegroundWindow.USER32 ref: 00761752
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                            • String ID:
                                            • API String ID: 2759813231-0
                                            • Opcode ID: 3708eba034757c44ff94988e3667f076601aa2e5a7953d5bec0c509cc885c0c4
                                            • Instruction ID: daa5d4ddb4cd0e98bb9d438c3849bb0efcdea4d948975f3828bb52b710f76e9b
                                            • Opcode Fuzzy Hash: 3708eba034757c44ff94988e3667f076601aa2e5a7953d5bec0c509cc885c0c4
                                            • Instruction Fuzzy Hash: 50314371D00249AFD700DFA9C885CAEBBF9EF48314B5480AAE456E7312D7359E45CBA0
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0073D501
                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0073D50F
                                            • Process32NextW.KERNEL32(00000000,?), ref: 0073D52F
                                            • CloseHandle.KERNEL32(00000000), ref: 0073D5DC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 420147892-0
                                            • Opcode ID: d8bcc61882cb0678f1bfb65ed38abb738e9edeb712b5812fd5e31511bd2862ed
                                            • Instruction ID: a6705e946702535b3b589dc34347f29cdf0d0865955024380f33c3964bd5147c
                                            • Opcode Fuzzy Hash: d8bcc61882cb0678f1bfb65ed38abb738e9edeb712b5812fd5e31511bd2862ed
                                            • Instruction Fuzzy Hash: BF31E4721083009FD315EF50D881ABFBBF8EF99344F04082DF582872A2EB719944CBA2
                                            APIs
                                              • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                            • GetCursorPos.USER32(?), ref: 00769001
                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00727711,?,?,?,?,?), ref: 00769016
                                            • GetCursorPos.USER32(?), ref: 0076905E
                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00727711,?,?,?), ref: 00769094
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                            • String ID:
                                            • API String ID: 2864067406-0
                                            • Opcode ID: 89452f109dace545edf0aaaf14b86acc4c653e3f025a7b6f1fbeb5b78be43775
                                            • Instruction ID: 42322d9f4060f75f7cb753a9703aad57fee122301175975b43085c22a8a33ad6
                                            • Opcode Fuzzy Hash: 89452f109dace545edf0aaaf14b86acc4c653e3f025a7b6f1fbeb5b78be43775
                                            • Instruction Fuzzy Hash: 0221A135601118EFDF268F94CC58EFA7BB9EF8A360F148069FA0647261C379AD50DB60
                                            APIs
                                            • GetFileAttributesW.KERNEL32(?,0076CB68), ref: 0073D2FB
                                            • GetLastError.KERNEL32 ref: 0073D30A
                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0073D319
                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0076CB68), ref: 0073D376
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                            • String ID:
                                            • API String ID: 2267087916-0
                                            • Opcode ID: 225abcbbdc2030aa6ddf257f7428573f7ff43848e0b58b3e25f34a44932552f1
                                            • Instruction ID: 878eefa10e6a3ecdeadd05a7361d48b38d0ccacd56b901c7cf7f31ca1995fcde
                                            • Opcode Fuzzy Hash: 225abcbbdc2030aa6ddf257f7428573f7ff43848e0b58b3e25f34a44932552f1
                                            • Instruction Fuzzy Hash: 7D21A370509301DF9320DF24E88186A77E4FE56724F104A1EF499C32A2D735DD49CB97
                                            APIs
                                              • Part of subcall function 00731014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0073102A
                                              • Part of subcall function 00731014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00731036
                                              • Part of subcall function 00731014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731045
                                              • Part of subcall function 00731014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0073104C
                                              • Part of subcall function 00731014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731062
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007315BE
                                            • _memcmp.LIBVCRUNTIME ref: 007315E1
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00731617
                                            • HeapFree.KERNEL32(00000000), ref: 0073161E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                            • String ID:
                                            • API String ID: 1592001646-0
                                            • Opcode ID: e39eb74af27895508a79b03d8b62a272bf241ba2e86824a1694ca0fc9aca2741
                                            • Instruction ID: b04a88705c8f971b707be0a36532bd669d936042aafd38777e25c0660ca693b4
                                            • Opcode Fuzzy Hash: e39eb74af27895508a79b03d8b62a272bf241ba2e86824a1694ca0fc9aca2741
                                            • Instruction Fuzzy Hash: A421A171E00209EFEF04DFA5C945BEEB7B8EF44344F498459E441AB242EB78AE05CB60
                                            APIs
                                            • GetWindowLongW.USER32(?,000000EC), ref: 0076280A
                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00762824
                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00762832
                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00762840
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$Long$AttributesLayered
                                            • String ID:
                                            • API String ID: 2169480361-0
                                            • Opcode ID: 56c906802462b6fc6c0a39bab4936461358fe5584d4644612c3152981bad7d65
                                            • Instruction ID: 512d26a49b99b3d5c2c09ffc3dcf6a11aaee83edc54614cd0a3f339f6907a3eb
                                            • Opcode Fuzzy Hash: 56c906802462b6fc6c0a39bab4936461358fe5584d4644612c3152981bad7d65
                                            • Instruction Fuzzy Hash: 8D21F131204A12AFD7549B24CC44FAA7B95AF85324F248159F8278B6E3CBB9FC42C7D0
                                            APIs
                                              • Part of subcall function 00738D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0073790A,?,000000FF,?,00738754,00000000,?,0000001C,?,?), ref: 00738D8C
                                              • Part of subcall function 00738D7D: lstrcpyW.KERNEL32(00000000,?,?,0073790A,?,000000FF,?,00738754,00000000,?,0000001C,?,?,00000000), ref: 00738DB2
                                              • Part of subcall function 00738D7D: lstrcmpiW.KERNEL32(00000000,?,0073790A,?,000000FF,?,00738754,00000000,?,0000001C,?,?), ref: 00738DE3
                                            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00738754,00000000,?,0000001C,?,?,00000000), ref: 00737923
                                            • lstrcpyW.KERNEL32(00000000,?,?,00738754,00000000,?,0000001C,?,?,00000000), ref: 00737949
                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00738754,00000000,?,0000001C,?,?,00000000), ref: 00737984
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: lstrcmpilstrcpylstrlen
                                            • String ID: cdecl
                                            • API String ID: 4031866154-3896280584
                                            • Opcode ID: f0c94b8d70e745928eb35577e21278b47b8250fee7f18717aece0139abed6b4b
                                            • Instruction ID: 14a86e7195db0197063286ea3d7b59390e413b2559c596c719f51e4e03714405
                                            • Opcode Fuzzy Hash: f0c94b8d70e745928eb35577e21278b47b8250fee7f18717aece0139abed6b4b
                                            • Instruction Fuzzy Hash: 8011297A200341ABDB295F35D844E7A77A9FF45350F00812AF842C7265EF79E801C755
                                            APIs
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00731A47
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00731A59
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00731A6F
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00731A8A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 0db5bc7ef365c4fad75e4cb9fd8c47b971479fc893a3b5432b5674b07656fa5d
                                            • Instruction ID: d050dc0bcc666ff71ba6bbf5a2e7fcef58be7df571c5bca149093995f2db31e4
                                            • Opcode Fuzzy Hash: 0db5bc7ef365c4fad75e4cb9fd8c47b971479fc893a3b5432b5674b07656fa5d
                                            • Instruction Fuzzy Hash: 4E11393AD01219FFEB11DBA4CD85FADBB78EB08750F204091EA00B7290D6716E50DB94
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 0073E1FD
                                            • MessageBoxW.USER32(?,?,?,?), ref: 0073E230
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0073E246
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0073E24D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                            • String ID:
                                            • API String ID: 2880819207-0
                                            • Opcode ID: 3cdd76d3918cf4967e0559cc67001307065ecfb3bfe60055ff384b841d1ed345
                                            • Instruction ID: 19fcc23b3707f97169b35283579863d0f19f3a942641416533e8f0b128019990
                                            • Opcode Fuzzy Hash: 3cdd76d3918cf4967e0559cc67001307065ecfb3bfe60055ff384b841d1ed345
                                            • Instruction Fuzzy Hash: 78112BB2904358BBEB019FA89C05AAF7FADAB86310F008215F915E32D1D2B8DD0087A4
                                            APIs
                                            • CreateThread.KERNEL32(00000000,?,006FCFF9,00000000,00000004,00000000), ref: 006FD218
                                            • GetLastError.KERNEL32 ref: 006FD224
                                            • __dosmaperr.LIBCMT ref: 006FD22B
                                            • ResumeThread.KERNEL32(00000000), ref: 006FD249
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Thread$CreateErrorLastResume__dosmaperr
                                            • String ID:
                                            • API String ID: 173952441-0
                                            • Opcode ID: 18c29ec41e2b1c2b9558a353b4b7d650681d0864a2681444ed1ce36b993396d3
                                            • Instruction ID: 89abd207151a9ce25d1bdd8af35620376d0c5e7fa719c8a31b5a77eac05ba926
                                            • Opcode Fuzzy Hash: 18c29ec41e2b1c2b9558a353b4b7d650681d0864a2681444ed1ce36b993396d3
                                            • Instruction Fuzzy Hash: 4501D63640520CBBDB125BA5DC09BBE7A6BEF82331F104219FB25922D0CB719A01C6E1
                                            APIs
                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 006F3B56
                                              • Part of subcall function 006F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006F3AD2
                                              • Part of subcall function 006F3AA3: ___AdjustPointer.LIBCMT ref: 006F3AED
                                            • _UnwindNestedFrames.LIBCMT ref: 006F3B6B
                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006F3B7C
                                            • CallCatchBlock.LIBVCRUNTIME ref: 006F3BA4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                            • String ID:
                                            • API String ID: 737400349-0
                                            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                            • Instruction ID: 1f596bf0503ba011754e39673dc30443a8c496877176a61627e2c481316bb0f5
                                            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                            • Instruction Fuzzy Hash: EF01293210014DBBDF125E95CC42EFB3B6AEF99754F044019FF5866221CB32E961DBA4
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006D13C6,00000000,00000000,?,0070301A,006D13C6,00000000,00000000,00000000,?,0070328B,00000006,FlsSetValue), ref: 007030A5
                                            • GetLastError.KERNEL32(?,0070301A,006D13C6,00000000,00000000,00000000,?,0070328B,00000006,FlsSetValue,00772290,FlsSetValue,00000000,00000364,?,00702E46), ref: 007030B1
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0070301A,006D13C6,00000000,00000000,00000000,?,0070328B,00000006,FlsSetValue,00772290,FlsSetValue,00000000), ref: 007030BF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LibraryLoad$ErrorLast
                                            • String ID:
                                            • API String ID: 3177248105-0
                                            • Opcode ID: aad9eb118b77bf40716785dee58b8cb55596121608d2526cf6530c027459d107
                                            • Instruction ID: 2b42031dc542b7c6846ea2d4c28435796d8e55af83550e18ab474f641d35d76e
                                            • Opcode Fuzzy Hash: aad9eb118b77bf40716785dee58b8cb55596121608d2526cf6530c027459d107
                                            • Instruction Fuzzy Hash: 8B01F732312326EBCB324B799C459677BDEAF45BA1B108720F94AE31C0D729D901C6E4
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0073747F
                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00737497
                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007374AC
                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007374CA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Type$Register$FileLoadModuleNameUser
                                            • String ID:
                                            • API String ID: 1352324309-0
                                            • Opcode ID: c1934e0217c948e4999e4b9768f26eec37a66062bb1d9a9e2959997a72cdaae6
                                            • Instruction ID: 0df0b1a4cbc62c3d0eaf68b4a8e7a94822fa9f27aa2c58e5d4e4e60e8b35620c
                                            • Opcode Fuzzy Hash: c1934e0217c948e4999e4b9768f26eec37a66062bb1d9a9e2959997a72cdaae6
                                            • Instruction Fuzzy Hash: 8D117CF12053949BF7348F54EC08BA27FF8EB00B10F108569A656D6552D7B8F904DB50
                                            APIs
                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B0C4
                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B0E9
                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B0F3
                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B126
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CounterPerformanceQuerySleep
                                            • String ID:
                                            • API String ID: 2875609808-0
                                            • Opcode ID: 3d15ceefd3109e122ef3687befabfb1fe61d184c39182a819dba6e2a2adf8496
                                            • Instruction ID: 2f319ecfdd969ad27f082ba8a7f9ea8a07068a593a9cf16dd9c20f6db508d642
                                            • Opcode Fuzzy Hash: 3d15ceefd3109e122ef3687befabfb1fe61d184c39182a819dba6e2a2adf8496
                                            • Instruction Fuzzy Hash: BC116171C0161CD7DF04AFE4D9596FEBB78FF0A711F108089DA81B6146CB7895508B55
                                            APIs
                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00732DC5
                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00732DD6
                                            • GetCurrentThreadId.KERNEL32 ref: 00732DDD
                                            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00732DE4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                            • String ID:
                                            • API String ID: 2710830443-0
                                            • Opcode ID: b993afd267a88bedeba8cca67a3d790eca0ed482edef7e4405f90724afe940d8
                                            • Instruction ID: b45706a92af35b061271b0568ed4a8dac37550603f0354d57cce51ab442cff39
                                            • Opcode Fuzzy Hash: b993afd267a88bedeba8cca67a3d790eca0ed482edef7e4405f90724afe940d8
                                            • Instruction Fuzzy Hash: DAE06D722013247AEB212B62DC0EEFB7E6CEF42BA1F004015F107D10829AE98841C6B5
                                            APIs
                                              • Part of subcall function 006E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E9693
                                              • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96A2
                                              • Part of subcall function 006E9639: BeginPath.GDI32(?), ref: 006E96B9
                                              • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96E2
                                            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00768887
                                            • LineTo.GDI32(?,?,?), ref: 00768894
                                            • EndPath.GDI32(?), ref: 007688A4
                                            • StrokePath.GDI32(?), ref: 007688B2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                            • String ID:
                                            • API String ID: 1539411459-0
                                            • Opcode ID: 959e9c5038c6a7227cecffa0efc5bc3393c7c477a74b4fd4e36d47a36259dd4b
                                            • Instruction ID: 2cc1c18390d1a5f86a6780f14cf707a2d8e2c9bd0bd4d9128a5efd4c13719e00
                                            • Opcode Fuzzy Hash: 959e9c5038c6a7227cecffa0efc5bc3393c7c477a74b4fd4e36d47a36259dd4b
                                            • Instruction Fuzzy Hash: D6F03A36041259BAEB136F94AC09FDA3F59AF4A310F44C100FA52651E1C7B95511CFAA
                                            APIs
                                            • GetSysColor.USER32(00000008), ref: 006E98CC
                                            • SetTextColor.GDI32(?,?), ref: 006E98D6
                                            • SetBkMode.GDI32(?,00000001), ref: 006E98E9
                                            • GetStockObject.GDI32(00000005), ref: 006E98F1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Color$ModeObjectStockText
                                            • String ID:
                                            • API String ID: 4037423528-0
                                            • Opcode ID: ffa1bd225921eef9bd2fc7271c5113f43289d53a282c626531e10fc8aaf937f0
                                            • Instruction ID: bf5f8d2a2da00ac26fa1ac98fa342632d882705ae41aa398280c76ccfd119ccd
                                            • Opcode Fuzzy Hash: ffa1bd225921eef9bd2fc7271c5113f43289d53a282c626531e10fc8aaf937f0
                                            • Instruction Fuzzy Hash: 01E06531244384AADB225B75FC09BE93F11AB12335F14C219F6FB540E1C3B94650DB11
                                            APIs
                                            • GetCurrentThread.KERNEL32 ref: 00731634
                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,007311D9), ref: 0073163B
                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007311D9), ref: 00731648
                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,007311D9), ref: 0073164F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CurrentOpenProcessThreadToken
                                            • String ID:
                                            • API String ID: 3974789173-0
                                            • Opcode ID: e06761637a89cdd6dae6d644487237d8eedb1ed8b055ec0b8170b1c2b4863934
                                            • Instruction ID: b47e7c0917eca463b06563f46de632ec65e75d4311e549d7f9321fe0fb387975
                                            • Opcode Fuzzy Hash: e06761637a89cdd6dae6d644487237d8eedb1ed8b055ec0b8170b1c2b4863934
                                            • Instruction Fuzzy Hash: EEE08671601311EBE7201FE19E0DB663B7CAF44791F14C808F686D9080DABC4440C758
                                            APIs
                                            • GetDesktopWindow.USER32 ref: 0072D858
                                            • GetDC.USER32(00000000), ref: 0072D862
                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0072D882
                                            • ReleaseDC.USER32(?), ref: 0072D8A3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CapsDesktopDeviceReleaseWindow
                                            • String ID:
                                            • API String ID: 2889604237-0
                                            • Opcode ID: 46fd10555ce78d5e5ca6f0be6f1f1b253eb038102eda950e347686c8d331e0d1
                                            • Instruction ID: a1e015248ba213f0ff686f7f09f9ad729269b6c2fb46886580e93bc2a68491f4
                                            • Opcode Fuzzy Hash: 46fd10555ce78d5e5ca6f0be6f1f1b253eb038102eda950e347686c8d331e0d1
                                            • Instruction Fuzzy Hash: F3E01AB5800305DFCB429FA0D808A7DBBB2FB08310F14D009E88BE7250C7BC9941AF48
                                            APIs
                                            • GetDesktopWindow.USER32 ref: 0072D86C
                                            • GetDC.USER32(00000000), ref: 0072D876
                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0072D882
                                            • ReleaseDC.USER32(?), ref: 0072D8A3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CapsDesktopDeviceReleaseWindow
                                            • String ID:
                                            • API String ID: 2889604237-0
                                            • Opcode ID: 8c30af589b94cf18ec6c2596215f439f906e7d8749e10eccf5c2566d2759a9b5
                                            • Instruction ID: b9fbc5aad1b9bdf5ef9f001c47bd890f516d206e9e9ccb70df9fd0237e653fe8
                                            • Opcode Fuzzy Hash: 8c30af589b94cf18ec6c2596215f439f906e7d8749e10eccf5c2566d2759a9b5
                                            • Instruction Fuzzy Hash: 02E01A70C00304DFCB429FA0D80866DBBB2FB08310B149009E98AE7250C7BC59019F48
                                            APIs
                                              • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
                                            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00744ED4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Connection_wcslen
                                            • String ID: *$LPT
                                            • API String ID: 1725874428-3443410124
                                            • Opcode ID: 2a2e71060647d7785a28f9927e14ac229728b3085679158b9a7564692ba9650f
                                            • Instruction ID: ee6ea3af779c17143d1bd9e330c6f207bb9ee584a19bd1a47bffd699da79edb8
                                            • Opcode Fuzzy Hash: 2a2e71060647d7785a28f9927e14ac229728b3085679158b9a7564692ba9650f
                                            • Instruction Fuzzy Hash: 94914D75A002549FDB14DF58C484FAABBF1BF44304F198099E80A9F3A2D739EE85DB91
                                            APIs
                                            • __startOneArgErrorHandling.LIBCMT ref: 006FE30D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: ErrorHandling__start
                                            • String ID: pow
                                            • API String ID: 3213639722-2276729525
                                            • Opcode ID: 61f2918f78fda8e89f3b0b8533bb6bef6d9bed4d80cdb0a699bb1386582b05b7
                                            • Instruction ID: 371103b728a2f21d417ef0e81c70ab25b47023b6654cd762aaa359784fc5a827
                                            • Opcode Fuzzy Hash: 61f2918f78fda8e89f3b0b8533bb6bef6d9bed4d80cdb0a699bb1386582b05b7
                                            • Instruction Fuzzy Hash: 8D519C62E0C206D6CB197B14C9453BA3FD5AB40780F308A58E1D5463F9EB3E9CD2DA46
                                            APIs
                                            • CharUpperBuffW.USER32(0072569E,00000000,?,0076CC08,?,00000000,00000000), ref: 007578DD
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                            • CharUpperBuffW.USER32(0072569E,00000000,?,0076CC08,00000000,?,00000000,00000000), ref: 0075783B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper$_wcslen
                                            • String ID: <sy
                                            • API String ID: 3544283678-4294649419
                                            • Opcode ID: 049c3d62e92b646029ba15a16bc013211b96f43a3c35a8b4cc93598ed260eddf
                                            • Instruction ID: 9ffc1710135f06a075a9cf6980cd7a11bb6445158324f7e8b8c3132c5d0309ba
                                            • Opcode Fuzzy Hash: 049c3d62e92b646029ba15a16bc013211b96f43a3c35a8b4cc93598ed260eddf
                                            • Instruction Fuzzy Hash: BB618371D141189BCF48EBE0DC91DFDB375BF14301B44452AF942A7291EF786A09DBA4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #
                                            • API String ID: 0-1885708031
                                            • Opcode ID: 70851b8fa76224614c850ed6cc6ea9ad273b88fb738ee0a47d6ecad1fa6e5eeb
                                            • Instruction ID: 5e8112ec98d61a462b2bdbb46215fc54cda045109d30ecbbd29a8a1ef2388a89
                                            • Opcode Fuzzy Hash: 70851b8fa76224614c850ed6cc6ea9ad273b88fb738ee0a47d6ecad1fa6e5eeb
                                            • Instruction Fuzzy Hash: 45514335A01396DFDB15DF69D0816FA7BAAEF15310F248059E8919B3C0DB399E43CBA0
                                            APIs
                                            • Sleep.KERNEL32(00000000), ref: 006EF2A2
                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 006EF2BB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: GlobalMemorySleepStatus
                                            • String ID: @
                                            • API String ID: 2783356886-2766056989
                                            • Opcode ID: 9aa994e7cfe10a609439a920ce03e55d6472ace42a2e266f89344b50ffbaf49d
                                            • Instruction ID: 195248a5a8836f5fa29b98a90af3299b0432ef810a9389e6e1e61dd40b97c019
                                            • Opcode Fuzzy Hash: 9aa994e7cfe10a609439a920ce03e55d6472ace42a2e266f89344b50ffbaf49d
                                            • Instruction Fuzzy Hash: 0B5158718087499BD360AF10DC86BABBBF9FF84310F91884DF1D981195EB709529CB6B
                                            APIs
                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007329EB
                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00732A8D
                                              • Part of subcall function 00732C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00732CE0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: c177c4fca889f34fde62110383b8931d70d1a2d44400360376d2c6ae43c690ef
                                            • Instruction ID: 81e51273d04c901738740fcc02ff7d3931e53f90f5becd58fa250633cbe4189f
                                            • Opcode Fuzzy Hash: c177c4fca889f34fde62110383b8931d70d1a2d44400360376d2c6ae43c690ef
                                            • Instruction Fuzzy Hash: 2E419370A00218ABEF25EF54C945BFE7BBAAF44710F044029F905A7392DB749E45CBA6
                                            APIs
                                            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007557E0
                                            • _wcslen.LIBCMT ref: 007557EC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper_wcslen
                                            • String ID: CALLARGARRAY
                                            • API String ID: 157775604-1150593374
                                            • Opcode ID: 8a235a2c2756bf05086c395d366d135b46d17b1c1e40440a8e82d30eeb0bbd9d
                                            • Instruction ID: fa7da8ce989b906a3eff5fcb515edae7df93156e5fd6fbbf7140e495702f836f
                                            • Opcode Fuzzy Hash: 8a235a2c2756bf05086c395d366d135b46d17b1c1e40440a8e82d30eeb0bbd9d
                                            • Instruction Fuzzy Hash: D6419F31E00209DFCB14DFA9C8959FEBBB5EF59311F10402DE905A7251E7B9AD85CBA0
                                            APIs
                                            • _wcslen.LIBCMT ref: 0074D130
                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0074D13A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CrackInternet_wcslen
                                            • String ID: |
                                            • API String ID: 596671847-2343686810
                                            • Opcode ID: a465e94310c23077c28105d607f8b93dd37bac1d089417086656fe9248bd2cf8
                                            • Instruction ID: e59fd2e0ac6a2cf8cec74010fba208d9631ebaecb1b8c1c259c371b053f00249
                                            • Opcode Fuzzy Hash: a465e94310c23077c28105d607f8b93dd37bac1d089417086656fe9248bd2cf8
                                            • Instruction Fuzzy Hash: 4A313D75D00209ABCF55EFA4CC85AEE7FBAFF04304F00001EF915A6265EB35AA06DB64
                                            APIs
                                            • DestroyWindow.USER32(?,?,?,?), ref: 00763621
                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0076365C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$DestroyMove
                                            • String ID: static
                                            • API String ID: 2139405536-2160076837
                                            • Opcode ID: 7b60793f077a58f4d3b9e3c21a908c223932eb67028d24e5cc6e376ff8512e19
                                            • Instruction ID: 0b018369fd3b9a489186bb0b1438f142749cebde83e9bbb639f7de2853470b09
                                            • Opcode Fuzzy Hash: 7b60793f077a58f4d3b9e3c21a908c223932eb67028d24e5cc6e376ff8512e19
                                            • Instruction Fuzzy Hash: D6318F71100204AAEB109F78DC40EFB73A9FF88724F00961DFDA697290DA78AD91C764
                                            APIs
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0076461F
                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00764634
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: '
                                            • API String ID: 3850602802-1997036262
                                            • Opcode ID: ab699a260db84c5bb369bb4190484bc0103a0ae4a289b47af5b896dcc71c7fd0
                                            • Instruction ID: 72c942bbd99c6debff109d02880331025b851ce6089effceb8528f1a1fad5da1
                                            • Opcode Fuzzy Hash: ab699a260db84c5bb369bb4190484bc0103a0ae4a289b47af5b896dcc71c7fd0
                                            • Instruction Fuzzy Hash: 38312774A0120A9FDF14CFA9C980BDA7BB5FF49300F14406AED06AB342D774A951CF90
                                            APIs
                                            • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00732884
                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007328B6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: b8789863a6dd8eb3133524c1ef5fc6c477c3dff180ee815a9ee8f4c79cd105bf
                                            • Instruction ID: dd6bde8925032d54d3becdd859b2e1ba2af72171bc930a61333f86ece9325291
                                            • Opcode Fuzzy Hash: b8789863a6dd8eb3133524c1ef5fc6c477c3dff180ee815a9ee8f4c79cd105bf
                                            • Instruction Fuzzy Hash: 1E210C72E00315ABDB159F94C481DFEB7B9DF84710F144059F915B7352EA785D42C7A0
                                            APIs
                                              • Part of subcall function 0073ED19: GetLocalTime.KERNEL32 ref: 0073ED2A
                                              • Part of subcall function 0073ED19: _wcslen.LIBCMT ref: 0073ED3B
                                              • Part of subcall function 0073ED19: _wcslen.LIBCMT ref: 0073ED79
                                              • Part of subcall function 0073ED19: _wcslen.LIBCMT ref: 0073EDAF
                                              • Part of subcall function 0073ED19: _wcslen.LIBCMT ref: 0073EDDF
                                              • Part of subcall function 0073ED19: _wcslen.LIBCMT ref: 0073EDEF
                                              • Part of subcall function 0073ED19: _wcslen.LIBCMT ref: 0073EE2B
                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 0076340A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$LocalMessageSendTime
                                            • String ID: @U=u$SysDateTimePick32
                                            • API String ID: 2216836867-2530228043
                                            • Opcode ID: c25f6375f6a03c6ba497270c6e6aae4d6177c8140e5c38820ba76336744e2284
                                            • Instruction ID: 02e515aae174a759e4e89b3f6cd2fc492faa0629b407411b8253bc26bf9ae4ef
                                            • Opcode Fuzzy Hash: c25f6375f6a03c6ba497270c6e6aae4d6177c8140e5c38820ba76336744e2284
                                            • Instruction Fuzzy Hash: EA21D631350209ABEF229E54DC82FFE73AAEB54754F104519FD52A72D0DAB9EC50C760
                                            APIs
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00732178
                                              • Part of subcall function 0073B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0073B355
                                              • Part of subcall function 0073B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00732194,00000034,?,?,00001004,00000000,00000000), ref: 0073B365
                                              • Part of subcall function 0073B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00732194,00000034,?,?,00001004,00000000,00000000), ref: 0073B37B
                                              • Part of subcall function 0073B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321D0,?,?,00000034,00000800,?,00000034), ref: 0073B42D
                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 007321DF
                                              • Part of subcall function 0073B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0073B3F8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                            • String ID: @U=u
                                            • API String ID: 1045663743-2594219639
                                            • Opcode ID: 81f122bed6a7dd08770d7873198ba57e7fae3eaf30a1b00c5273972daa784296
                                            • Instruction ID: 533c51c087449067557e23f4c021e8ce93ee9dd0e0e9dbe67f60a21e95dc5077
                                            • Opcode Fuzzy Hash: 81f122bed6a7dd08770d7873198ba57e7fae3eaf30a1b00c5273972daa784296
                                            • Instruction Fuzzy Hash: 73219031901228EBEF51DBA4DC45FEDBBB8FF04310F1001A5F648A7191EA705E44CB54
                                            APIs
                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0076327C
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00763287
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: Combobox
                                            • API String ID: 3850602802-2096851135
                                            • Opcode ID: 7af11ecf8bb60870da8cc17cd972c3026f2ddf3e5915b2f50e469d35d4754fc3
                                            • Instruction ID: 997092defedd7166d6c326abea698cf3df1a7257746bfd621fad275c15de15f4
                                            • Opcode Fuzzy Hash: 7af11ecf8bb60870da8cc17cd972c3026f2ddf3e5915b2f50e469d35d4754fc3
                                            • Instruction Fuzzy Hash: 6D11E271300208BFFF25DE54DC90EBB37AAFB943A4F104128F91A97290D6799D51C760
                                            APIs
                                              • Part of subcall function 006D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006D604C
                                              • Part of subcall function 006D600E: GetStockObject.GDI32(00000011), ref: 006D6060
                                              • Part of subcall function 006D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D606A
                                            • GetWindowRect.USER32(00000000,?), ref: 0076377A
                                            • GetSysColor.USER32(00000012), ref: 00763794
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                            • String ID: static
                                            • API String ID: 1983116058-2160076837
                                            • Opcode ID: 03b58c3129f5cc7066945cc0bc8f5d78177e02a807bc320969db50b7de55f22b
                                            • Instruction ID: 2c7ec7d799701aa0b904c0064bc4e49e8059ed111dbd1e3e19ce8f9e2161f1b1
                                            • Opcode Fuzzy Hash: 03b58c3129f5cc7066945cc0bc8f5d78177e02a807bc320969db50b7de55f22b
                                            • Instruction Fuzzy Hash: 301129B2610209AFDB01DFA8CC45AFA7BB8EB09354F004515FD56E2250D779E851DB50
                                            APIs
                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007661FC
                                            • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00766225
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: e834b05acd1cb1f14dbe817a240123df9e44c9ad2650696dfbf3e2f2a66e54b9
                                            • Instruction ID: d2f414e426bc4404ce8971326584543950eb86b613560c50f6bbbc0696b14383
                                            • Opcode Fuzzy Hash: e834b05acd1cb1f14dbe817a240123df9e44c9ad2650696dfbf3e2f2a66e54b9
                                            • Instruction Fuzzy Hash: 9011C471140218BEEF158F68CC25FBA3BA9FB06314F804155FE17AA1D1D2B8DE00DB54
                                            APIs
                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0074CD7D
                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0074CDA6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Internet$OpenOption
                                            • String ID: <local>
                                            • API String ID: 942729171-4266983199
                                            • Opcode ID: 34323b5b75b6ce3f73b590345d31a23327883da23e3e426dc5bc9ab067ad6a41
                                            • Instruction ID: dbab2b53fac9e62d10b9ed610a221f4dba34d8bb70a7981863a5ebe6da7a048e
                                            • Opcode Fuzzy Hash: 34323b5b75b6ce3f73b590345d31a23327883da23e3e426dc5bc9ab067ad6a41
                                            • Instruction Fuzzy Hash: 4A11C671B066357AD77A4B668C45EF7BE6CEF127A4F004226B15983190D7789840DAF0
                                            APIs
                                            • SendMessageW.USER32(?,?,?,?), ref: 00764FCC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: b25c39fed2266f450a4d4e35b492c14da1abaded8ded2697b81779bf331b91dc
                                            • Instruction ID: 3e190f1565d549512cf2d2b15262bf3670d5f5e36435b65a75a15363eae7b8d1
                                            • Opcode Fuzzy Hash: b25c39fed2266f450a4d4e35b492c14da1abaded8ded2697b81779bf331b91dc
                                            • Instruction Fuzzy Hash: AB21E476A0411AEFCB16CFA8C9408EA7BB5FB4D340B044194FD06A7310D735ED21EB94
                                            APIs
                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 00763147
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u$button
                                            • API String ID: 3850602802-1762282863
                                            • Opcode ID: 518dfe2827defc4c1aa40b7d1ff7c649a91bd0322831159b8bd9dc5991a62d32
                                            • Instruction ID: 9d21e6e8f47814e87384173f53851d48db717cb8a09acbdddcabcad2db74f35d
                                            • Opcode Fuzzy Hash: 518dfe2827defc4c1aa40b7d1ff7c649a91bd0322831159b8bd9dc5991a62d32
                                            • Instruction Fuzzy Hash: 5D11A132150209ABEF158F64DC41FEA3B6AEF4A354F144118FE66A7190C77AE861D750
                                            APIs
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            • CharUpperBuffW.USER32(?,?,?), ref: 00736CB6
                                            • _wcslen.LIBCMT ref: 00736CC2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen$BuffCharUpper
                                            • String ID: STOP
                                            • API String ID: 1256254125-2411985666
                                            • Opcode ID: 3534ddd493c9639bf4845917164db8fc284de755b1b78ada218143f0c87bbd91
                                            • Instruction ID: 88536fb71b3386e1935d9d56455dea9e4b6f74483a1bd23c55d658a4f7139fb9
                                            • Opcode Fuzzy Hash: 3534ddd493c9639bf4845917164db8fc284de755b1b78ada218143f0c87bbd91
                                            • Instruction Fuzzy Hash: 85010432B10526AADB21AFBDDC808BF77B5EA61714B004529E85296292EA39E800C760
                                            APIs
                                              • Part of subcall function 0073B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321D0,?,?,00000034,00000800,?,00000034), ref: 0073B42D
                                            • SendMessageW.USER32(?,0000102B,?,00000000), ref: 0073243B
                                            • SendMessageW.USER32(?,0000102B,?,00000000), ref: 0073245E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$MemoryProcessWrite
                                            • String ID: @U=u
                                            • API String ID: 1195347164-2594219639
                                            • Opcode ID: c1fe2a76551dec781e8160c47555373cc07f437c6a7613b47f1d4f2e80b1165c
                                            • Instruction ID: 6dc91ec2825fd3d650f8b114039899fd7f557125fbc9a67b6128503a470b4a81
                                            • Opcode Fuzzy Hash: c1fe2a76551dec781e8160c47555373cc07f437c6a7613b47f1d4f2e80b1165c
                                            • Instruction Fuzzy Hash: 6601F932900218EBFB116F64DC4AFEEBB79DB14310F10406AF565AA1D2EBF45E45CB64
                                            APIs
                                            • SendMessageW.USER32(?,0000133E,00000000,?), ref: 007643AF
                                            • InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00764408
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: InvalidateMessageRectSend
                                            • String ID: @U=u
                                            • API String ID: 909852535-2594219639
                                            • Opcode ID: 65bad96d6c13089b44bce54e068c210eac4f0280fb84105b75c7b9c4d7138272
                                            • Instruction ID: 0df90ac6169a58fe99b24a2b9c3344142f53f9c2900c878199cb9bb9b2a108f8
                                            • Opcode Fuzzy Hash: 65bad96d6c13089b44bce54e068c210eac4f0280fb84105b75c7b9c4d7138272
                                            • Instruction Fuzzy Hash: BF118F74500744AFEB21CF24C891BE7BBE5BF06310F10851DE9AB97291DB756941DB50
                                            APIs
                                            • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00732531
                                            • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00732564
                                              • Part of subcall function 0073B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0073B3F8
                                              • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend$MemoryProcessRead_wcslen
                                            • String ID: @U=u
                                            • API String ID: 1083363909-2594219639
                                            • Opcode ID: 28db4f5495ca5e4532e111a644bb21c147d0511b9161679bef113813d7167b7b
                                            • Instruction ID: 81b7b055369bdd78daee73c749f107a5f08c8a8cf11b5c9389334c3fea81a4c7
                                            • Opcode Fuzzy Hash: 28db4f5495ca5e4532e111a644bb21c147d0511b9161679bef113813d7167b7b
                                            • Instruction Fuzzy Hash: 3F016171900128EFDB50AF50CC95DED776DEB14340F40C0A6F689A6151DE745F89CB94
                                            APIs
                                            • __Init_thread_footer.LIBCMT ref: 006EA529
                                              • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Init_thread_footer_wcslen
                                            • String ID: ,%z$3yr
                                            • API String ID: 2551934079-955863410
                                            • Opcode ID: 2c4402e50c6b6e5617de2a358b820810c71575378733b799208fc222c24c016d
                                            • Instruction ID: a7edfe76951cb832cd2e0e8b42d4ed51f45b5ad6cc231fccb0dd3219fdbcb2c3
                                            • Opcode Fuzzy Hash: 2c4402e50c6b6e5617de2a358b820810c71575378733b799208fc222c24c016d
                                            • Instruction Fuzzy Hash: 0401F231B017549BD604F7A9E85BAAD3366AB46710F50046DF612572C3EE14AD028AAF
                                            APIs
                                              • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                            • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0072769C,?,?,?), ref: 00769111
                                              • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
                                            • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 007690F7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LongWindow$MessageProcSend
                                            • String ID: @U=u
                                            • API String ID: 982171247-2594219639
                                            • Opcode ID: 43690fe7491862b0c35b21f6add37c112f0a0aa1ea1e5e35c0d49f5dd364fd00
                                            • Instruction ID: d41bc506289d004c01ef10a750288096b2fc9f148cfc509fa67b370e7eee15c3
                                            • Opcode Fuzzy Hash: 43690fe7491862b0c35b21f6add37c112f0a0aa1ea1e5e35c0d49f5dd364fd00
                                            • Instruction Fuzzy Hash: E1012834100204EBDB259F14CC49F663B6AFF86364F204059FE520B2E1C7766C01CB24
                                            APIs
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007A3018,007A305C), ref: 007681BF
                                            • CloseHandle.KERNEL32 ref: 007681D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CloseCreateHandleProcess
                                            • String ID: \0z
                                            • API String ID: 3712363035-4117864471
                                            • Opcode ID: a61c4887d1ae87d44d9d30118545c56bac6687de06d588077019c85d9200f800
                                            • Instruction ID: dcfd1650ff9f9dad5c39c1766fac693be47aafce6192e2c3c65a1f6bcf4a2800
                                            • Opcode Fuzzy Hash: a61c4887d1ae87d44d9d30118545c56bac6687de06d588077019c85d9200f800
                                            • Instruction Fuzzy Hash: 8FF05EF2640304BAF2206B61AC55FB77A5EEB46750F008425FB09D51A2D67E8A0086BD
                                            APIs
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00732480
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00732497
                                              • Part of subcall function 007323DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 0073243B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: 714b9ef758989905ae28e9159edfab4dc6cae6d70a63e6c37e00f7efe1a62e78
                                            • Instruction ID: 5c833708b6583861d2f2a1b953093346450b699690bd17d1ba49e8e8424bc8df
                                            • Opcode Fuzzy Hash: 714b9ef758989905ae28e9159edfab4dc6cae6d70a63e6c37e00f7efe1a62e78
                                            • Instruction Fuzzy Hash: 17F0E231601161BAFB211B56DC0ECEFBF6DDF46760F104094F445A2152CAF55D42C6A0
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: _wcslen
                                            • String ID: 3, 3, 16, 1
                                            • API String ID: 176396367-3042988571
                                            • Opcode ID: 668f778a576d829853c95fb52ae7cc8b47ad75ac4e95dc629c2aaf48cae7b939
                                            • Instruction ID: 385c44522ca8449eb092b8a0874ad614c195783e724050bf3574240c502b062e
                                            • Opcode Fuzzy Hash: 668f778a576d829853c95fb52ae7cc8b47ad75ac4e95dc629c2aaf48cae7b939
                                            • Instruction Fuzzy Hash: CDE02B423142A01092791279BCC19BF578ACFC6751714182FFE85C2266EED88D91D3E4
                                            APIs
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00732BFA
                                            • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00732C2A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: 2c3d57acf3d4ce38729a3942988260fc03067b33c09e9ac3ca270ad3ef00f6cd
                                            • Instruction ID: 07ace0d1b4620f5bb834a8895bb3239210283a607901feaa6b8a5b6f632c28a8
                                            • Opcode Fuzzy Hash: 2c3d57acf3d4ce38729a3942988260fc03067b33c09e9ac3ca270ad3ef00f6cd
                                            • Instruction Fuzzy Hash: 69F0A075340304BFFB126B80EC4AFBA3B5DEB14761F104015F7465A1D2C9E65C1097A4
                                            APIs
                                              • Part of subcall function 0073286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00732884
                                              • Part of subcall function 0073286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007328B6
                                            • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00732D80
                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00732D90
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: b02f9d6a2e827c8c04c59b0227bf0f9e28b13946c0a5a2c349eded929735d84a
                                            • Instruction ID: 94303de36c3f53860a1dd08f564ccea325280193dbb0e1e7fdff7a61dc24c8d7
                                            • Opcode Fuzzy Hash: b02f9d6a2e827c8c04c59b0227bf0f9e28b13946c0a5a2c349eded929735d84a
                                            • Instruction Fuzzy Hash: 92E0D8353443057FF6220A51DC4AEB3375CD758751F100026F30565193DEE6CC125568
                                            APIs
                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00765855
                                            • InvalidateRect.USER32(?,?,00000001), ref: 00765877
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: InvalidateMessageRectSend
                                            • String ID: @U=u
                                            • API String ID: 909852535-2594219639
                                            • Opcode ID: c8eea4afdee30b654cadc61fc32b0430ef7be83713a127bb229197f9993b0fbf
                                            • Instruction ID: 8ab8591f22b9259904f7e303728544b707341e36a553b5066133ffea93a2bded
                                            • Opcode Fuzzy Hash: c8eea4afdee30b654cadc61fc32b0430ef7be83713a127bb229197f9993b0fbf
                                            • Instruction Fuzzy Hash: ECF08232604280AEDB218B75DC44FEEBFF8EB85361F0441F2E96BD9051DA748E85DB20
                                            APIs
                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00730B23
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Message
                                            • String ID: AutoIt$Error allocating memory.
                                            • API String ID: 2030045667-4017498283
                                            • Opcode ID: f9e0484cab76d46021268447eaa217f7e62ca4316ab9ac7e55f44ec6f5628366
                                            • Instruction ID: db5bb6c375a93d2569122dcf9fc21b6f71fd352c79be6d3f560ff1877fbf2cc8
                                            • Opcode Fuzzy Hash: f9e0484cab76d46021268447eaa217f7e62ca4316ab9ac7e55f44ec6f5628366
                                            • Instruction Fuzzy Hash: 3FE0DF722853583BE3513795BC03F997A858F05B20F10442EFB88A95C38AEA389046ED
                                            APIs
                                              • Part of subcall function 006EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006F0D71,?,?,?,006D100A), ref: 006EF7CE
                                            • IsDebuggerPresent.KERNEL32(?,?,?,006D100A), ref: 006F0D75
                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006D100A), ref: 006F0D84
                                            Strings
                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006F0D7F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                            • API String ID: 55579361-631824599
                                            • Opcode ID: 08586736283a9378a41a567f06ac25862b2519157e89f1f7dd5278a938f7f14a
                                            • Instruction ID: c89ad6e1c1728380409cfe396672cbd7fd08949ee8f91528d2ba984c61e2b0c2
                                            • Opcode Fuzzy Hash: 08586736283a9378a41a567f06ac25862b2519157e89f1f7dd5278a938f7f14a
                                            • Instruction Fuzzy Hash: 25E06D742003518FE7619FB9E8143667BE5BF04744F00892DE982C6656DBB9E4448B91
                                            APIs
                                            • __Init_thread_footer.LIBCMT ref: 006EE3D5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: Init_thread_footer
                                            • String ID: 0%z$8%z
                                            • API String ID: 1385522511-2349322819
                                            • Opcode ID: 4190390cf1a6c48f1de5394a7e45111aae993ceb4ca50ec6c9f91f4c40954f51
                                            • Instruction ID: 3744494fa0a67f3dfa4f14a2a431c119b8d081dbc42e476797605829c0a387a6
                                            • Opcode Fuzzy Hash: 4190390cf1a6c48f1de5394a7e45111aae993ceb4ca50ec6c9f91f4c40954f51
                                            • Instruction Fuzzy Hash: 69E02639C09B54CBCA0CD71DB874A983397BB86320B1042F9E102876D3DB3A28438A5C
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: LocalTime
                                            • String ID: %.3d$X64
                                            • API String ID: 481472006-1077770165
                                            • Opcode ID: 1823d0bf07577613be6fc554173f19c25d3abedaa6638b6d60d2e2043f11883e
                                            • Instruction ID: ee66dbbef33b84b311bd7062fc21563a31b46b20e366d64bca3fc53b704cf9fb
                                            • Opcode Fuzzy Hash: 1823d0bf07577613be6fc554173f19c25d3abedaa6638b6d60d2e2043f11883e
                                            • Instruction Fuzzy Hash: DDD012A1809268EACBA097E0EC498B9B3FCBB08301F608452F90692040D62CC908A761
                                            APIs
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076236C
                                            • PostMessageW.USER32(00000000), ref: 00762373
                                              • Part of subcall function 0073E97B: Sleep.KERNEL32 ref: 0073E9F3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FindMessagePostSleepWindow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 529655941-2988720461
                                            • Opcode ID: 5f749bf7df67a6de6ab2796c857d9412b6678a646be30653d4a4d9f1e0fb9096
                                            • Instruction ID: 9eaab2e10343fe383bf4a067f1f56af5326f29a07584b892d261a9c81393eb2f
                                            • Opcode Fuzzy Hash: 5f749bf7df67a6de6ab2796c857d9412b6678a646be30653d4a4d9f1e0fb9096
                                            • Instruction Fuzzy Hash: 6BD0C972381310BAEA65B770EC0FFD67A149B04B10F108A56B687AA1D1C9E8B8018A58
                                            APIs
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076232C
                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0076233F
                                              • Part of subcall function 0073E97B: Sleep.KERNEL32 ref: 0073E9F3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: FindMessagePostSleepWindow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 529655941-2988720461
                                            • Opcode ID: bf7602e66a36ccdc5d640188f58874fe06d0f56ff74ab4b7f44bd8ae54560674
                                            • Instruction ID: ce25b423a7a44cd15642b3326b928e59ee0dfa6404ea332435358f6cfadc79ab
                                            • Opcode Fuzzy Hash: bf7602e66a36ccdc5d640188f58874fe06d0f56ff74ab4b7f44bd8ae54560674
                                            • Instruction Fuzzy Hash: EDD01276394310B7EA64B770EC0FFD67A149B04B10F108A56B787AA1D1C9F8B801CB58
                                            APIs
                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0073231F
                                            • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0073232D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1388984516.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                            • Associated: 00000000.00000002.1388963595.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389240017.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389294418.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1389315471.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6d0000_v3tK92KcJV.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: @U=u
                                            • API String ID: 3850602802-2594219639
                                            • Opcode ID: f424b5f3fa2bc36bb54b0741aa72f1cdf1d0c7a423edf7e319453bebcab34fe0
                                            • Instruction ID: 8b16f5aa57ee73b7f9bfb83fcce1c22df5a9fe49c82c5e881ea659fb3384163c
                                            • Opcode Fuzzy Hash: f424b5f3fa2bc36bb54b0741aa72f1cdf1d0c7a423edf7e319453bebcab34fe0
                                            • Instruction Fuzzy Hash: ACC01231100281BAE6220B23EC0CC673E3DE7CAF013000088B266840A586E80400C628