Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GOmRjFSKNz.exe

Overview

General Information

Sample name:GOmRjFSKNz.exe
renamed because original name is a hash value
Original sample name:bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5.exe
Analysis ID:1534173
MD5:01ef5f0617d6cb995abe430c3c6c7acd
SHA1:9d6cee782bce7762f58f2bf6c1c38218491e9f94
SHA256:bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5
Tags:87-120-114-39exeuser-JAMESWT_MHT
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Installs new ROOT certificates
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • GOmRjFSKNz.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\GOmRjFSKNz.exe" MD5: 01EF5F0617D6CB995ABE430C3C6C7ACD)
    • cmd.exe (PID: 1188 cmdline: "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 4996 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5956 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 6120 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5672 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5960 cmdline: cmd /c md 72076 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 2140 cmdline: findstr /V "SILICONLATINOAMPLANDBLOW" Words MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5868 cmdline: cmd /c copy /b ..\Indoor + ..\An + ..\Transport + ..\Strap + ..\Passed + ..\Treasure s MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Launches.pif (PID: 4296 cmdline: Launches.pif s MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • RegAsm.exe (PID: 1144 cmdline: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • choice.exe (PID: 888 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "87.120.114.39:47928", "Bot Id": "new", "Authorization Header": "4484cd46611513b45d351e0b5010e5bb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000003.2825546542.000000000519F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    0000000A.00000003.2833770879.0000000001F91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      0000000A.00000003.2825065700.0000000001DDD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000000A.00000003.2825688213.0000000001E5B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0000000A.00000003.2824672801.0000000001E5B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.3.Launches.pif.1ddc050.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              16.2.RegAsm.exe.340000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                10.3.Launches.pif.1ddc050.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                  Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, ParentCommandLine: Launches.pif s, ParentImage: C:\Users\user\AppData\Local\Temp\72076\Launches.pif, ParentProcessId: 4296, ParentProcessName: Launches.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, ProcessId: 1144, ProcessName: RegAsm.exe
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Launches.pif s, CommandLine: Launches.pif s, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\72076\Launches.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\72076\Launches.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\72076\Launches.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1188, ParentProcessName: cmd.exe, ProcessCommandLine: Launches.pif s, ProcessId: 4296, ProcessName: Launches.pif
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, ParentCommandLine: Launches.pif s, ParentImage: C:\Users\user\AppData\Local\Temp\72076\Launches.pif, ParentProcessId: 4296, ParentProcessName: Launches.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe, ProcessId: 1144, ProcessName: RegAsm.exe

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Sigma detected: Search for Antivirus process
                  Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1188, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 5672, ProcessName: findstr.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "87.120.114.39:47928", "Bot Id": "new", "Authorization Header": "4484cd46611513b45d351e0b5010e5bb"}
                  Multi AV Scanner detection for submitted file
                  Source: GOmRjFSKNz.exeReversingLabs: Detection: 34%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
                  Source: GOmRjFSKNz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: GOmRjFSKNz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: RegAsm.exe, 00000010.00000002.3032787620.0000000000962000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3034584358.0000000005EF2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nHC:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 00000010.00000002.3032392433.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb source: Launches.pif, 0000000A.00000003.2823843249.0000000004418000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2826358198.0000000000262000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
                  Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032392433.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb4 source: Launches.pif, 0000000A.00000003.2823843249.0000000004418000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2826358198.0000000000262000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
                  Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032787620.00000000009FC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032787620.0000000000962000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_007A4005
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_007A494A
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_007A3CE2
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_007AC2FF
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007ACD14 FindFirstFileW,FindClose,10_2_007ACD14
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_007ACD9F
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_007AF5D8
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_007AF735
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_007AFA36
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\72076\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\72076Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.114.39:47928
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 87.120.114.39 ports 47928,2,4,7,8,9
                  Source: global trafficTCP traffic: 192.168.2.4:50002 -> 87.120.114.39:47928
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownDNS traffic detected: query: GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNex replaycode: Name error (3)
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.39
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.39
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.39
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.39
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.114.39
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007B29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,10_2_007B29BA
                  Source: global trafficDNS traffic detected: DNS query: GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNex
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                  Source: GOmRjFSKNz.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LRfqx/j
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LRfq4
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LRfqduj
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LRfqx
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Responsex
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LRfq
                  Source: RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Responsex
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Launches.pif, 0000000A.00000000.1818602986.0000000000809000.00000002.00000001.01000000.00000006.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: Launches.pif, 0000000A.00000003.2825065700.0000000001DDD000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2833770879.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2825546542.000000000519F000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2825688213.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2882687318.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2882687318.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2833826824.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2884666788.0000000001DDC000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2833895594.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2884574282.0000000001E5C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3032255109.0000000000342000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                  Source: Launches.pif.1.drString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drString found in binary or memory: https://www.globalsign.com/repository/06
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007B4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_007B4830
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007B4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_007B4632
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007CD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_007CD164
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp90E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp93E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A4254: CreateFileW,DeviceIoControl,CloseHandle,10_2_007A4254
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00798F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00798F2E
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_00403883
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_007A5778
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeFile created: C:\Windows\MississippiClinicJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_0040497C0_2_0040497C
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_00406ED20_2_00406ED2
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_004074BB0_2_004074BB
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0074B02010_2_0074B020
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007494E010_2_007494E0
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00749C8010_2_00749C80
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007623F510_2_007623F5
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007C840010_2_007C8400
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0077650210_2_00776502
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0077265E10_2_0077265E
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0074E6F010_2_0074E6F0
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0076282A10_2_0076282A
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007789BF10_2_007789BF
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00776A7410_2_00776A74
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007C0A3A10_2_007C0A3A
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00750BE010_2_00750BE0
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0076CD5110_2_0076CD51
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0079EDB210_2_0079EDB2
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A8E4410_2_007A8E44
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007C0EB710_2_007C0EB7
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00776FE610_2_00776FE6
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007633B710_2_007633B7
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0075D45D10_2_0075D45D
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0076F40910_2_0076F409
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0074166310_2_00741663
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0075F62810_2_0075F628
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007616B410_2_007616B4
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0074F6A010_2_0074F6A0
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007678C310_2_007678C3
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0076DBA510_2_0076DBA5
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00761BA810_2_00761BA8
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00779CE510_2_00779CE5
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0075DD2810_2_0075DD28
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0076BFD610_2_0076BFD6
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00761FC010_2_00761FC0
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_00BBDC7416_2_00BBDC74
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DA67D816_2_05DA67D8
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DAA3E816_2_05DAA3E8
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DAA3D816_2_05DAA3D8
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DA6FF816_2_05DA6FF8
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DA6FE816_2_05DA6FE8
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\72076\Launches.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: String function: 004062A3 appears 57 times
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: String function: 00768B30 appears 42 times
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: String function: 00751A36 appears 34 times
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: String function: 00760D17 appears 70 times
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs GOmRjFSKNz.exe
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1786608510.0000000000804000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs GOmRjFSKNz.exe
                  Source: GOmRjFSKNz.exe, 00000000.00000002.1787695654.0000000000804000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs GOmRjFSKNz.exe
                  Source: GOmRjFSKNz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@24/17@1/1
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007AA6AD GetLastError,FormatMessageW,10_2_007AA6AD
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00798DE9 AdjustTokenPrivileges,CloseHandle,10_2_00798DE9
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00799399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00799399
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,10_2_007A4148
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,10_2_007A443D
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeFile created: C:\Users\user\AppData\Local\Temp\nsl4E2F.tmpJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat
                  Source: GOmRjFSKNz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: GOmRjFSKNz.exeReversingLabs: Detection: 34%
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeFile read: C:\Users\user\Desktop\GOmRjFSKNz.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\GOmRjFSKNz.exe "C:\Users\user\Desktop\GOmRjFSKNz.exe"
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 72076
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "SILICONLATINOAMPLANDBLOW" Words
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Indoor + ..\An + ..\Transport + ..\Strap + ..\Passed + ..\Treasure s
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Launches.pif s
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifProcess created: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 72076Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "SILICONLATINOAMPLANDBLOW" Words Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Indoor + ..\An + ..\Transport + ..\Strap + ..\Passed + ..\Treasure sJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Launches.pif sJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifProcess created: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: napinsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: wshbth.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: winrnr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: Google Chrome.lnk.16.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: GOmRjFSKNz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb8 source: RegAsm.exe, 00000010.00000002.3032787620.0000000000962000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3034584358.0000000005EF2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nHC:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 00000010.00000002.3032392433.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb source: Launches.pif, 0000000A.00000003.2823843249.0000000004418000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2826358198.0000000000262000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
                  Source: Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032392433.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb4 source: Launches.pif, 0000000A.00000003.2823843249.0000000004418000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000000.2826358198.0000000000262000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe.10.dr
                  Source: Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032787620.00000000009FC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000010.00000002.3032787620.0000000000962000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00768B75 push ecx; ret 10_2_00768B88
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0075CBDB push eax; retf 10_2_0075CBF8
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0075CC06 push eax; retf 10_2_0075CBF8
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DAD413 push es; ret 16_2_05DAD420
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DAC711 push es; ret 16_2_05DAC720
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DA804D push ecx; iretd 16_2_05DA8052
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DAECF2 push eax; ret 16_2_05DAED01
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DA49AB push FFFFFF8Bh; retf 16_2_05DA49AD
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeCode function: 16_2_05DA3B4F push dword ptr [esp+ecx*2-75h]; ret 16_2_05DA3B53

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\72076\Launches.pifJump to dropped file
                  Installs new ROOT certificates
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifFile created: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\72076\Launches.pifJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007C59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_007C59B3
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00755EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_00755EDA
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007633B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_007633B7
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeMemory allocated: BB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeMemory allocated: 2600000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeMemory allocated: 4600000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifAPI coverage: 4.8 %
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_007A4005
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_007A494A
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_007A3CE2
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_007AC2FF
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007ACD14 FindFirstFileW,FindClose,10_2_007ACD14
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_007ACD9F
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_007AF5D8
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_007AF735
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_007AFA36
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00755D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_00755D13
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\72076\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\72076Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                  Source: Launches.pif, 0000000A.00000002.2895968083.0000000001D7A000.00000004.00000020.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2894423586.0000000001D79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
                  Source: RegAsm.exe, 00000010.00000002.3034584358.0000000005F25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Found API chain indicative of debugger detection
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_10-99316
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007B45D5 BlockInput,10_2_007B45D5
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00755240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_00755240
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00775CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,10_2_00775CAC
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_007988CD
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0076A354 SetUnhandledExceptionFilter,10_2_0076A354
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0076A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0076A385
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifMemory written: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe base: 340000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifMemory written: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe base: 340000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifMemory written: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe base: 449000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00799369 LogonUserW,10_2_00799369
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00755240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_00755240
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A1AC6 SendInput,keybd_event,10_2_007A1AC6
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A51E2 mouse_event,10_2_007A51E2
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 72076Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "SILICONLATINOAMPLANDBLOW" Words Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Indoor + ..\An + ..\Transport + ..\Strap + ..\Passed + ..\Treasure sJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\72076\Launches.pif Launches.pif sJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifProcess created: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_007988CD
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007A4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,10_2_007A4F1C
                  Source: GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002878000.00000004.00000020.00020000.00000000.sdmp, Launches.pif, 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmp, Carol.0.dr, Launches.pif.1.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: Launches.pifBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0076885B cpuid 10_2_0076885B
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00780030 GetLocalTime,__swprintf,10_2_00780030
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_00780722 GetUserNameW,10_2_00780722
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_0077416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,10_2_0077416A
                  Source: C:\Users\user\Desktop\GOmRjFSKNz.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
                  Source: C:\Users\user\AppData\Local\Temp\72076\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 10.3.Launches.pif.1ddc050.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.RegAsm.exe.340000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.3.Launches.pif.1ddc050.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000003.2825546542.000000000519F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2833770879.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825065700.0000000001DDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825688213.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2824672801.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2882687318.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3032255109.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2882687318.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825305490.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825305490.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2833826824.000000000449B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2884666788.0000000001DDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825915690.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2833895594.0000000004418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2884370254.0000000001F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2884574282.0000000001E5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Launches.pif PID: 4296, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1144, type: MEMORYSTR
                  Source: Launches.pifBinary or memory string: WIN_81
                  Source: Launches.pifBinary or memory string: WIN_XP
                  Source: Launches.pifBinary or memory string: WIN_XPe
                  Source: Launches.pifBinary or memory string: WIN_VISTA
                  Source: Launches.pifBinary or memory string: WIN_7
                  Source: Launches.pifBinary or memory string: WIN_8
                  Source: Launches.pif.1.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 10.3.Launches.pif.1ddc050.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.RegAsm.exe.340000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.3.Launches.pif.1ddc050.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000003.2825546542.000000000519F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2833770879.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825065700.0000000001DDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825688213.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2824672801.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2882687318.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3032255109.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2882687318.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825305490.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825305490.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2833826824.000000000449B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2884666788.0000000001DDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2825915690.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2833895594.0000000004418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2884370254.0000000001F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000003.2884574282.0000000001E5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Launches.pif PID: 4296, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1144, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007B696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,10_2_007B696E
                  Source: C:\Users\user\AppData\Local\Temp\72076\Launches.pifCode function: 10_2_007B6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_007B6E32

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		2
                  Valid Accounts                  		1
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		21
                  Input Capture                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol21
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  Install Root Certificate                  		NTDS27
                  System Information Discovery                  		Distributed Component Object ModelInput Capture1
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets1
                  Query Registry                  		SSHKeylogging11
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                  Masquerading                  		Cached Domain Credentials131
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync11
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Virtualization/Sandbox Evasion                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534173 Sample: GOmRjFSKNz.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 33 GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNex 2->33 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected RedLine Stealer 2->47 49 5 other signatures 2->49 9 GOmRjFSKNz.exe 18 2->9         started        signatures3 process4 process5 11 cmd.exe 2 9->11         started        file6 29 C:\Users\user\AppData\Local\...\Launches.pif, PE32 11->29 dropped 53 Drops PE files with a suspicious file extension 11->53 15 Launches.pif 1 11->15         started        19 cmd.exe 2 11->19         started        21 conhost.exe 11->21         started        23 7 other processes 11->23 signatures7 process8 file9 31 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 15->31 dropped 37 Found API chain indicative of debugger detection 15->37 39 Writes to foreign memory regions 15->39 41 Injects a PE file into a foreign processes 15->41 25 RegAsm.exe 1 18 15->25         started        signatures10 process11 dnsIp12 35 87.120.114.39, 47928, 50002 UNACS-AS-BG8000BurgasBG Bulgaria 25->35 51 Installs new ROOT certificates 25->51 signatures13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  GOmRjFSKNz.exe34%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\72076\Launches.pif5%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                  http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNex
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    87.120.114.39:47928true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://tempuri.org/Entity/Id15ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://tempuri.org/Entity/Id24LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://tempuri.org/Entity/Id18ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://tempuri.org/Entity/Id7LRfqxRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://www.autoitscript.com/autoit3/GOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Carol.0.dr, Launches.pif.1.drfalse
                                  		unknown
                                  http://tempuri.org/Entity/Id16LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://tempuri.org/Entity/Id9LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://tempuri.org/Entity/Id22ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://tempuri.org/Entity/Id10ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/Entity/Id19ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id3LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://tempuri.org/Entity/Id2LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://tempuri.org/Entity/Id13LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://tempuri.org/Entity/Id6ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://tempuri.org/Entity/Id7ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://tempuri.org/Entity/Id1ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://tempuri.org/Entity/Id21ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://tempuri.org/Entity/Id14LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://tempuri.org/Entity/Id5LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.autoitscript.com/autoit3/JGOmRjFSKNz.exe, 00000000.00000003.1781635044.0000000002886000.00000004.00000020.00020000.00000000.sdmp, Launches.pif, 0000000A.00000000.1818602986.0000000000809000.00000002.00000001.01000000.00000006.sdmp, Carol.0.dr, Launches.pif.1.drfalse
                                                                  		unknown
                                                                  https://api.ip.sb/ipLaunches.pif, 0000000A.00000003.2825065700.0000000001DDD000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2833770879.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2825546542.000000000519F000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2825688213.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2882687318.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2882687318.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2833826824.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2884666788.0000000001DDC000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2833895594.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Launches.pif, 0000000A.00000003.2884574282.0000000001E5C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3032255109.0000000000342000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id23ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id5ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id11LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id1LRfq4RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id14ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id2ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id11ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://tempuri.org/Entity/Id20ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id4LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://nsis.sf.net/NSIS_ErrorErrorGOmRjFSKNz.exefalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://tempuri.org/Entity/Id20LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id21LRfqdujRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id12LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://tempuri.org/Entity/Id8ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://tempuri.org/Entity/Id13ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://tempuri.org/Entity/Id16ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/RegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id9ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id15LRfqx/jRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id3ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id8LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id17LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id24ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rmRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id19LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id6LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id22LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id23LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id12ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id17ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id10LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id18LRfqRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/soap/actor/nextRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://tempuri.org/Entity/Id4ResponsexRegAsm.exe, 00000010.00000002.3033364620.0000000002601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public IPs

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                  87.120.114.39
                                                                                                                                  		unknownBulgaria
                                                                                                                                  		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                  Analysis ID:1534173
                                                                                                                                  Start date and time:2024-10-15 17:01:15 +02:00
                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 7m 41s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                  Number of analysed new started processes analysed:18
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample name:GOmRjFSKNz.exe
                                                                                                                                  renamed because original name is a hash value
                                                                                                                                  Original Sample Name:bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.evad.winEXE@24/17@1/1
                                                                                                                                  EGA Information:
                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                  • Number of executed functions: 100
                                                                                                                                  • Number of non-executed functions: 296
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                  • VT rate limit hit for: GOmRjFSKNz.exe

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  11:02:22API Interceptor2503x Sleep call for process: Launches.pif modified

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  87.120.114.39t1B7sgX825.exeGet hashmaliciousRedLineBrowse

                                                                                                                                    Domains

                                                                                                                                    No context

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    UNACS-AS-BG8000BurgasBGt1B7sgX825.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    • 87.120.114.39
                                                                                                                                    r3DGQXicwA.exeGet hashmaliciousLummaC, RedLineBrowse
                                                                                                                                    • 87.120.127.223
                                                                                                                                    r3DGQXicwA.exeGet hashmaliciousLummaC, MicroClip, RedLineBrowse
                                                                                                                                    • 87.120.127.223
                                                                                                                                    https://anviict.com/?qvtvxymbGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 87.120.125.203
                                                                                                                                    1728486965f09c65efe9ac8095b3334d8c21391956afcf95821ee79f205e6ccc5199206ffd610.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                    • 87.120.117.161
                                                                                                                                    n92fR6j8tl.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                    • 87.120.117.161
                                                                                                                                    https://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAgGet hashmaliciousUnknownBrowse
                                                                                                                                    • 87.120.114.172
                                                                                                                                    ordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                                    • 87.120.117.161
                                                                                                                                    5fnrWlGa3H.exeGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.116.119
                                                                                                                                    https://z168563365.cloud/Get hashmaliciousUnknownBrowse
                                                                                                                                    • 87.120.117.199

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    C:\Users\user\AppData\Local\Temp\72076\Launches.pift1B7sgX825.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                        Lz1uWbvPmZ.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                                                                                                                                              67079aecc452b_xin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                                                                                                                                      M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\72076\RegAsm.exet1B7sgX825.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                          08(2)_00.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                            rDoc5633276235623657_xls.exeGet hashmaliciousStormKitty, XWormBrowse
                                                                                                                                                              lchs.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                Shipping Documemt.vbsGet hashmaliciousLokibotBrowse
                                                                                                                                                                  AaK2FmzNcl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                    SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        pic4.jpg.exeGet hashmaliciousAsyncRAT, DcRat, Stealerium, StormKittyBrowse
                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe
                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:38 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2104
                                                                                                                                                                            Entropy (8bit):3.4565377172144633
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:8SFd7oTbs07RYrnvPdAKRkdAGdAKRFdAKR/U:8Sjon4
                                                                                                                                                                            MD5:8EDBB395DA95C66BF31B1DE5F62D176F
                                                                                                                                                                            SHA1:143D31721A37A5D9850206956C16DEC9058B246C
                                                                                                                                                                            SHA-256:B7519557D493FC60C12BF5325BC9CAB0D6FAF6CE23FA0FFDD4316FA35603E5B6
                                                                                                                                                                            SHA-512:BF1E14118BF8BB0ED065F4EB240959C64FF464382D13F2FE8A4B5E0DC8AB06AA31BD084C122E51CEE9DA5BA5D2E72A96B07C02D3CB797CCC10D45B1F802A0A8D
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:L..................F.@.. ......,......0........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWT`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWT`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWT`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWJ`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\72076\Launches.pif

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:modified
                                                                                                                                                                            Size (bytes):893608
                                                                                                                                                                            Entropy (8bit):6.62028134425878
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                                                                                                                            MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                                                                                                                            SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                                                                                                                            SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                                                                                                                            SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                            • Filename: t1B7sgX825.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: sV9ElC4fU4.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: Lz1uWbvPmZ.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: cW5i0RdQ4L.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: cW5i0RdQ4L.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 67079aecc452b_xin.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 6706e721f2c06.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: hlyG1m5UmO.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: M13W1o3scc.exe, Detection: malicious, Browse
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\72076\Launches.pif
                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65440
                                                                                                                                                                            Entropy (8bit):6.049806962480652
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                                                                                                                                            MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                                            SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                                                                                                                                            SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                                                                                                                                            SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                            • Filename: t1B7sgX825.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 08(2)_00.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: rDoc5633276235623657_xls.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: lchs.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: Shipping Documemt.vbs, Detection: malicious, Browse
                                                                                                                                                                            • Filename: AaK2FmzNcl.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: pic4.jpg.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\72076\s

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):420239
                                                                                                                                                                            Entropy (8bit):7.9996089165412725
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:12288:jPaglnjMkNF5iT/bCRILfQBhhJCDoTaHSs:Flnjbq/bC+f+wDoOHSs
                                                                                                                                                                            MD5:78490A8C0979F627FCF9817A5A6441A4
                                                                                                                                                                            SHA1:472C2041122415DFEE9C75CF9573827D4EEADDA7
                                                                                                                                                                            SHA-256:8711245C729901471854228C9296EB81DA03B3E7A62A0A8D840747FC11E02C85
                                                                                                                                                                            SHA-512:C0F5883095FB8D31A5254012C265FBE33A8DC6847431FB56AC2D59B475A278BDC62544ECC73F6B1A19ACA7E3CDA39CFE79A9BB6E279B94999E55C301BEBBC8F4
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..}].....<.,%.^dX..5..!Z...;......-IY..db..`......7?.....Z....[.+.....q..i.?TGLd.`w....a)R.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rx...5.I.'.F...h.............8....e.8....e.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....#..,P..Myn.2..t.W............k.2.8.....T.8....e.m.....6.....5...x..2).U.j....>.T#.~...He....<%i.......u-......r.w....i,9..a.` ...K=._.EN3SY.<...N.`.`g......' ."..vd...k.n*.P..'......0.%.;!..il."..HM...7.z..Y(?.[y&..M..........nG..t....j...q..%q,..3.r.r.....{m...z.{.-dXJ.h.]....(?.....P$w.k...4...mS.Ts.]. ...'..2..(R.>..p..X...`w..N.../....b.....8...{y......:..AB.u....e..?..p.....1P.|.Z..I~./...-....t...Y....t..K.{.:........!o..!.....

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\An

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):92160
                                                                                                                                                                            Entropy (8bit):7.998172355437157
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:1536:zvqgDz0auKciGQkNKQl3DYDdjSXogZbEhOU7IKhXM4E7ia1Y:WBauKxkNP9tbo/IKdE7iaK
                                                                                                                                                                            MD5:8F2D0F66949DBAF2B2D01B372F1D1EF9
                                                                                                                                                                            SHA1:0C032B114276123BA432C02E1A5FC398F86BBC45
                                                                                                                                                                            SHA-256:9FD98BBAA8AA38BE6D437DA50043547840F532D1655EBE0A5A4B42ED35C7A559
                                                                                                                                                                            SHA-512:970969F0ECF909A47161AEAEC37AC72D1059FC1BA875AC0686334543F0CC9065B22E79EADD929D41C7D6D8B059B6DAF5C69E2C3ABFBC47417243D505D6675333
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:u.DK4z\...&.`2..........e.>....B...x...x.[.%...6.6.a.n0...<.x~...<...3.l..(.@h....~Rse...b^\.D.J~"lB...Jt..@g...I1....=....U...."._Lv.`.d.|.............(.x..fj.R;.....~L.Ca.'...S........]..V.....Y$?....].kc...._.d.x..H........K.Q.]W).M.C..2.u...DeD\.....Jj....{.WI7..VSUS....).9S...!.l.....f....3..*...'....Ld1.+......r....V..Y. Y...k8...9..z.).....>oz....T.=(..p\....d.....i.V..}I.......w.+..?a{.q.b....9..@Z.8?_.dT&..a#..w...5N.. ..^]f..}.O..t...l..`;.*f.2.S.rL.0...bBW..\Q.u...m...<..>..!A.I.FE..Za.......=<.P.X....._.F...-'..l.fs.........-.D...8....#.s...}..r....X...YF.!.x!N....U...^^.C#..{K....@..."....../#...v6.3..l.2.!.4....]...j.....x.G..f.."a.!....D%h.C....Q6.KG._.Ev)....'/.8._<..g.'..n.y.^.......r......f~.b.G.w.`.8.;_. j.nH.c.o+.Z.4....x....7.c..p...n.f\.ww...1.A.v......!.......a.._..l.-...k.1......=pc+u...w......k..vQF/.+.R....W*..T.".4.....4K\.k...l?.(.ps...n.......qp.Q..86S...2....r...L...3F.-.G...4..z9*...E..g...Bf.....T.....\...G

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Carol

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):888126
                                                                                                                                                                            Entropy (8bit):6.622335651056381
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:QV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:yxz1JMyyzlohMf1tN70aw8501
                                                                                                                                                                            MD5:9E472DFB4AA9E650F42014869344AA5A
                                                                                                                                                                            SHA1:FA126D3BD607524507C57D2CAD46735ECE0DAE9C
                                                                                                                                                                            SHA-256:0FEBD931280B14D0747869030D265C77EF301158680E0EF360522481D2E81E2D
                                                                                                                                                                            SHA-512:B192F9FD67BE1EBF8F413582036AF23463AE8A277B1E8053A177AFA4279B54C5C6428ACD6BEBF00245F1CF92AB897739F73668DF68F843AD29EB3DED7180662E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:j0V....I.9..........._..^[].0.%.....U...8SV.u.W.~:...m....].........E.E.P.6..4.I..M.E.VD.~H.M..E..U..}.....d.......s............}....E.P.3....I..E.M.+..U.E.E.+.E.E.P.6.U..M...p.I..}....E..u.M..}.f..........E...}.f.......E...E...}.f.......E...E...}.f......f..............t(.E.f.........u..........E..+...;............t'.E.f........`u..........E..+...;........U......................... ..R.....@..U..._^[..]....}.f.FX.......f......f.F\f......t_f.F`f......f.Fdf.......E.P.7..4.I....9^Xt=9^\tE.E.P.7....I.9^`......9^d...............{.......}..t..f.E.f.......f.E.f.......U..wL..M..........E....t..AX.E....t..A\.E...~..A`.E...~..Ad]...U..Q..xL.V.u.Wj.....8W................4xL.j.Z.U.;........$xL.....0.........F.;G.............................................}...VW.....~d.......~h.......~D........~P.......>.t..6..<.I..&..u...wL..x.....4xL..U.B.U.;...V....u... .........$..........xL........t.Q........xL..... ....wL.J...wL.;5.xL.u....xL.....xL.........._^..u..5.wL.R....I..%

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Indoor

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):74752
                                                                                                                                                                            Entropy (8bit):7.99770612293514
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:1536:CqtEhrLCHJqu5Ni+tUyxpcAwgU/HKH3bj6hc3TaIrcYOt:xE1yH5Ni49DJwgU/HKH3v6auYOt
                                                                                                                                                                            MD5:31709B274F120FC824D4201C851AB05B
                                                                                                                                                                            SHA1:2273B87CED1B45D0B5BE3B69129B7FCCD87B242E
                                                                                                                                                                            SHA-256:F27112C86F03CBB7AD3794D5AE25ED3266D759454F77FD277779D92C78E30BD4
                                                                                                                                                                            SHA-512:E8CCA4F35AACECB4DC062F8EFEF3AA1B04600833B3EE82A2480C3FDD2A27ABF44589A1EFB955488814253F69270E13253E150F02987C84116CCDBD854E77BCA5
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..}].....<.,%.^dX..5..!Z...;......-IY..db..`......7?.....Z....[.+.....q..i.?TGLd.`w....a)R.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rx...5.I.'.F...h.............8....e.8....e.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....#..,P..Myn.2..t.W............k.2.8.....T.8....e.m.....6.....5...x..2).U.j....>.T#.~...He....<%i.......u-......r.w....i,9..a.` ...K=._.EN3SY.<...N.`.`g......' ."..vd...k.n*.P..'......0.%.;!..il."..HM...7.z..Y(?.[y&..M..........nG..t....j...q..%q,..3.r.r.....{m...z.{.-dXJ.h.]....(?.....P$w.k...4...mS.Ts.]. ...'..2..(R.>..p..X...`w..N.../....b.....8...{y......:..AB.u....e..?..p.....1P.|.Z..I~./...-....t...Y....t..K.{.:........!o..!.....

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Passed

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):90112
                                                                                                                                                                            Entropy (8bit):7.997968848515228
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:1536:3yvb76bs28es8dnqEX/mrRAtgGmoH7KxFGH0hCcLhMSPMkxth+kaNa3VGUiE:CvkqE6ueGmoyFGHIdBP/jaN0VGC
                                                                                                                                                                            MD5:8E319204F44DD7F3DC576AF2F5AD460A
                                                                                                                                                                            SHA1:AA93C6DE824398C0B72FC2FF73F5880F947B9138
                                                                                                                                                                            SHA-256:CCE6247863F966B4C491F3E5ABC7DCC6D539CAB4EE155C0CD89A9D1340AEE8D3
                                                                                                                                                                            SHA-512:1436B1ACDB02BD698C1CBE8B6A04EB19F1561F66A14318C4C391AC55F1E035C5D8ED88BCD990DB0CDFEE9E5F51FD177F060E7AC79FC3EDC6210E99EF864F469E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:...$h...mm....:.'|..V....0A.t.c._.Eu......L.,....J.{6.}..h....=&?;...[YmqN...-4.g.`Ju.^?.g..M.....Vq........#....Ip..`.!".l..........u..f......e\.....~.>s9w.>...C..K..~..m.I.P{..H..k..x..^,..n.M.SG.....T.}...|K..../..HZWHA.d.......@..\.O.2...X...z.Q.MZ_./%........%u.....F. .U.PnnW}`.`.@4.[...V........m.p..v.6.....<Z.0.u@&ly..>.3V......zJm..{..va...Cb............N.....(...%."?....'.......3.2....x..(.;...s._..R.L.....q(..{D.'e.Z^2.V_WK.0.ok.N.0.....V...&..x....e{?.r.ww...~.JR...I.4.Z.D.F...X...z..?p..O.$NGCF...Yf..w.B..2...>{y.../....#m...T.10..D.&M..tU....qG.$..C..{{K.....P.Z?.....l.4q....,.=.*..q.XN.X7ff.G.dI...`...........f..7.&y....f..\.....!..E..\....].((qs...m..C.%. .OV./.H..+W..............+[..?.SV.**.....+...ZO{g......et...T]M.M+.:.)s.D....(s..0.....-!.F....@...x-....u......r.!...:Rq..d!.}*..S{...IM..d..x..]B..Yg..b..;.w.S...x..0.zOc]H..U...x.oc#...+...K.4.!..!.{\.9...~....A..5M/.v.......u.......gv}.. 62.9%I)Q..$..f,)E1......t.>.Xvpb....{.

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Pediatric

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines (701), with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):19614
                                                                                                                                                                            Entropy (8bit):5.111305020482894
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:saIumW1XDpRcLDD15YVx4I7kdl4jLs2SmMvptNVVYY296QS:sEXDvcJ5Ux4IeSjLsXmCLt
                                                                                                                                                                            MD5:760676D8E0F2A9E3012EE11B7AC50C59
                                                                                                                                                                            SHA1:616D91F2E3F9A91BCBE68EE3E2D1CD4E320CC19B
                                                                                                                                                                            SHA-256:A3C4FE5E9A0E64ECFB9A094DB7E695EE75009A65B27982C435FC9EEBFF45F40F
                                                                                                                                                                            SHA-512:0E5A31AD7A22D0B5C353DB1528E978B6068E5A887552BE938936FDC0807CAE8F52F8BFEA03D53BA2A9693E3A5232E29EE2281D47193DC13D8E40EC2B541A2410
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:Set Diy=2..cAnhGamespot-Arrived-..imhcBali-Jd-Champions-..LxBut-Reputation-Wives-Addressing-Matched-Un-..kXvhScreens-Appliance-Nebraska-Colleagues-Dale-Printers-Electron-..eLTechnology-..bJBrowsing-Cayman-Tue-Indication-Spell-Following-Powers-Performance-..nLkSpec-Sufficiently-Rc-Custom-Lived-Og-Context-..fVsBlack-Mo-Harmful-Quantities-..TySolar-Blowjob-Shift-..QVvUpskirt-Participation-Revised-Weeks-..Set Journal=D..kzDon-Ka-Programme-..zQIMime-Zoom-Dressed-Cc-Missed-..LYCalibration-Suited-Caring-Upskirts-Possibility-Southeast-Win-Cheaper-Lovely-..XWBasics-Working-Ah-Plastics-Pf-Hundred-Viewing-Deer-..aBExecution-Said-Ne-Body-..Set Continuity=O..QWiVisitors-Gordon-Farm-Courtesy-Consent-Struck-Grand-Shoulder-..OveBroad-Interaction-Microphone-..mDOrganisations-Linked-It-Tm-Libraries-Minolta-Colours-Headers-Fallen-..koRetail-Investigated-..LQdoStats-Refine-Ide-Wn-Wines-Party-Guitars-Sweden-..mdalImpacts-Transcription-..KGJJimmy-Crm-Microwave-Discretion-Trials-Learners-Pcs-Mice-Spiritualit

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Pediatric.bat (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines (701), with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):19614
                                                                                                                                                                            Entropy (8bit):5.111305020482894
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:saIumW1XDpRcLDD15YVx4I7kdl4jLs2SmMvptNVVYY296QS:sEXDvcJ5Ux4IeSjLsXmCLt
                                                                                                                                                                            MD5:760676D8E0F2A9E3012EE11B7AC50C59
                                                                                                                                                                            SHA1:616D91F2E3F9A91BCBE68EE3E2D1CD4E320CC19B
                                                                                                                                                                            SHA-256:A3C4FE5E9A0E64ECFB9A094DB7E695EE75009A65B27982C435FC9EEBFF45F40F
                                                                                                                                                                            SHA-512:0E5A31AD7A22D0B5C353DB1528E978B6068E5A887552BE938936FDC0807CAE8F52F8BFEA03D53BA2A9693E3A5232E29EE2281D47193DC13D8E40EC2B541A2410
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:Set Diy=2..cAnhGamespot-Arrived-..imhcBali-Jd-Champions-..LxBut-Reputation-Wives-Addressing-Matched-Un-..kXvhScreens-Appliance-Nebraska-Colleagues-Dale-Printers-Electron-..eLTechnology-..bJBrowsing-Cayman-Tue-Indication-Spell-Following-Powers-Performance-..nLkSpec-Sufficiently-Rc-Custom-Lived-Og-Context-..fVsBlack-Mo-Harmful-Quantities-..TySolar-Blowjob-Shift-..QVvUpskirt-Participation-Revised-Weeks-..Set Journal=D..kzDon-Ka-Programme-..zQIMime-Zoom-Dressed-Cc-Missed-..LYCalibration-Suited-Caring-Upskirts-Possibility-Southeast-Win-Cheaper-Lovely-..XWBasics-Working-Ah-Plastics-Pf-Hundred-Viewing-Deer-..aBExecution-Said-Ne-Body-..Set Continuity=O..QWiVisitors-Gordon-Farm-Courtesy-Consent-Struck-Grand-Shoulder-..OveBroad-Interaction-Microphone-..mDOrganisations-Linked-It-Tm-Libraries-Minolta-Colours-Headers-Fallen-..koRetail-Investigated-..LQdoStats-Refine-Ide-Wn-Wines-Party-Guitars-Sweden-..mdalImpacts-Transcription-..KGJJimmy-Crm-Microwave-Discretion-Trials-Learners-Pcs-Mice-Spiritualit

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Strap

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):61440
                                                                                                                                                                            Entropy (8bit):7.997091785746
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:1536:ZFUUx6pwe9hVRwzmD0MPSYrz/angq+ldnwh4buCt83ofAhna:7WpRamH7r+ngq8dnHbuCG3yAha
                                                                                                                                                                            MD5:42436500E325B861C42E887CD628D4CC
                                                                                                                                                                            SHA1:8F5CC73E895479DEED184EB5F2E5B26C88FB2021
                                                                                                                                                                            SHA-256:6A441418116DA88A87E5CB0D5C683239CF174037A14EB7BBEA50CF93C13BE1F2
                                                                                                                                                                            SHA-512:80353791BEB93075F32A329F395893CC6405AA858275B668B849A978C73882CF4E4C010ED9C7B7E1386B4FBCED5C5DCE4098FEA12F0A04CCBA89FE4D3023EAD3
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.O.._p_a.......Y.|....&f8.sz.U..a...f.]...Uh..M.......f.t]I`...YbY.Z.^...4h.=...Gf.n.5..]....S.KY./....s..M...*d.r.G......po..n......2...Zj..U8.:.4)l..`..hD`z.5.|.....[.~...?.....k..:.|....En.Bs=&SI.},{.(..'V.b..g...e..di....n..9...."...#.X[.33.."s.[.Q#{.yBsV..O1.N..{HP.s.*4../......UXD.#.?%....).v.@r.6.......eR.S........[.6.N ..8....kIt...,Jx..W.....'I13...F8...........V..[.`...3P...5y.../..q...G....F>..8C[..}.u>..7c. S._h..~..I;VFpF.}.....wX.@.O...E..g?l.e..IpS.[.}.|A..-.,0te.P..h..q.f.9_m.'`n..e....)f.|......;Js.u(5Bv..(.j..ZE...(t...V...6)...r........x.$.)(y.Bp..rK...v0..lf......\@.'-i%...3)5.4z.3.&.u4]w..s..L...8. 2.&`.{'x...n...D..;..".6(....&2.....0.....IM....C.2...wS..X.....|s%..O.E%[z..i....H.*"...,~=... ...zi.%...P.'.....q:...!...R...../.75d.1r..b....@.Z.. ..$.C...Jq189O.-....C......l_.............p...i...+.."^t )....hF..2.7..`=..u}".....O.4....v......!-4.Qed.u..tF.c..K.%...@[.X.+...F..t.*.#.3!.gl......:.z....(..Z.(.@....w:.

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Tmp90E.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2662
                                                                                                                                                                            Entropy (8bit):7.8230547059446645
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                                            MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                                            SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                                            SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                                            SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Tmp93E.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2662
                                                                                                                                                                            Entropy (8bit):7.8230547059446645
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                                            MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                                            SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                                            SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                                            SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Transport

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):95232
                                                                                                                                                                            Entropy (8bit):7.998279107865314
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:1536:pTcSb+KT9p5mZNd1viurQv7hDUz7iLuaEinXZL2hm5r9N6OO4U1QxxSGai:p/b9j5mZNdKv7CzOL7EinR9jO4U1ISe
                                                                                                                                                                            MD5:7DD1DEF5A1D40E2CC11B86D108305856
                                                                                                                                                                            SHA1:72430E111A37DE13B51968A51B516C3C92B14D11
                                                                                                                                                                            SHA-256:DDF7B993E9926D69027AC0D516461E50DE18C93B49B20D86C8354CBC7F1A2DFF
                                                                                                                                                                            SHA-512:D2888392C322BB8C28F5536799A75AF24BE53A1BE4345BA1BE2F858B3DC4D76E793C1BE813007079553DBA36B1AF3A4963C2D5F620C8523D0854F1F92D02C063
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:....o?......M.. ..~..BO.....v...{..............~o...Y.%.......(.v.R.D...K...).h.|..~N.cRY:Ngd.....*..........$Jk^8~\..}S.o.(...#AD.@V.A.,J..Q.q...h....zY.....4.........u2..Sg.3L........E~....*[vC.."`....Gqz..#.=.$.N.@.L..y.!.~....gvLh../j..d....6..{...P..A.@.+.O...~.l..6.a.j<...#.&.....0"..h|.KY..V..lA.......a.H.....\...G7w.`1:..+r......... .s.A.....rg.2#...)...^.r....Ebov.BT.JF...i.;c{Y....|........"n..X..K......~l{qX.R$..z.W.....=.....)...S.&..S...6..m!.I.Nz...B..k..a.h.1@....K...8vE...O..;.D+...........d7......d..c......>.'..L......G.....k.I.?J....,d..3.....:...n!.0>;0k..c..,.m->?f,.Vi...~nQ...6.....4.S]h..6..J..3Q$..[.....s..m(.}T.!.bY..f._..i..GGj/.?..)\.q~8......61..Q...>..Q...v.....|H5...F.S<.>e._...v...B.].?...`.5Y...o..vV.~.9.. 7<..#_<.4.9..S....*.p....!|.$.....`.....M...%.....qg,...Ui.B...N.....^...mv.W.8M#...t.Lq.i.<....5....g?..$|q...K..P...i..?A`...s.0>..-.`.|]...h:.....|D~..W....5E...F..V..O.....5.....0\......

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Treasure

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            File Type:SysEx File -
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6543
                                                                                                                                                                            Entropy (8bit):7.9665867972422815
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:3kXPAvUXP1GG0sRukZoV3J++z43fBS5kJSFIsY1NV7IGTKzdU9P1NtY416BhKmyq:3cmUNG7kZerzGfnSFbWPoURHKYeIpngB
                                                                                                                                                                            MD5:C619C8157AE98FF02D5F0DDB8AF58F8C
                                                                                                                                                                            SHA1:6F776C8177601BF48673C288F98550EDF82CE80E
                                                                                                                                                                            SHA-256:5D845BE14BB27293881AA165E3BCCF5FE9444184B1ED9A09C119C39B119A804E
                                                                                                                                                                            SHA-512:087E9BA1D8F40BF95B13713D1E8C3BE52CA30338C28C9C734BF6287DE661A1FEA732A41017929B8426A2E1CD6F1AB6D292BD6AA0824DE5B903F2E3B68FC58BE5
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.]....N.l.0...,,:./i.+e._..N..>......(...[]I....V..^QN.}1....`Lt.L.oF..X..G.. ...j.p.w1.|B ..~..*..]{>(as.L......Q.'...7t...N.......l.%...........2.xR...@....\N.b..GE..(E.L..z..;S5.ap...r...{..:.Zif...gAK.y...../.?.5..3?>..Z....'...T....J...<f.qC.x\...2.Y.r...2.5/2./......|......O1.Fe.......;x!..x...E.3.(...R...n....G0j.E..a.&.4......_I.n.7..E<?......ra.<.Bg.)..3P...N.......:....f.&:~.Dr...|..g...RU$.F.f)..B.BD......L.#.R_Z..d.u.W..x.N....f1.).b.E.bHM8N.Q.;S..l.....S^X5.......?.Fv....a9....T. ..,....2..A.u..[..t..M.7..h..^.r.....B ...N;....l2.UL...y.*.L.d....O..U.o..c}..c.*.P.g.8..<. t...=.V-W5...N.6......j...*~..HI.7Xp.>p...h.z.........#.'1..Hl./..H..E........B.../...3..? /|(.}.k...Hg.C....r..b..O...i|2mh..Kc..Pi....D.s..$sI......w@8X..T.L6..;......+d.}H/v1.Igr..ht....d.-.h..h-.q.6m..W.V...x>..v...C..ee........]..'.<.&..Y.=1@.U.c....C.Q3.Rn..d.+o..e.)..A0..F.o....@.....E|f.y.EV.........;.......r9..3..E.(.C.....f.Db(+6.G,..s.I..

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Words

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5508
                                                                                                                                                                            Entropy (8bit):6.079035795908131
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:yxgUzr4tgOwVAfBzDICS09CAi6R7u+IhsObfS+NsPvj6ooxdofjxP3yGj1B:AHAeOqAFDw09CV/2nPvj6DdMP3r1B
                                                                                                                                                                            MD5:B6789D8027794142C4BAC9A74C68C63E
                                                                                                                                                                            SHA1:927CDD6C97C27FC2DEFD7DE098BCCDA29B48847C
                                                                                                                                                                            SHA-256:4473101D3F926A84426CADEEDC51F488873F649644432A5E2097275034919D0C
                                                                                                                                                                            SHA-512:7EDCB5146DE5B1207080D598D1D466E2E17989FB3EEB5C7D990E29418BFC77474E74AF8A653CE6923FDE6BD8AFA240DBA866F7931FC2421BCA13AF64CF8225EC
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SILICONLATINOAMPLANDBLOW..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B......................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2251
                                                                                                                                                                            Entropy (8bit):7.634813089843593
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:S7SjQDUhr47iCkbNlR9WHTZHZx3bdU9V8xxvctnDcgvvej4yLsCJW:ASUD3Fk5lRcHxZxrdwOxu9DBvFoW
                                                                                                                                                                            MD5:35189FE8EF38DA33ED603DD4E1F832F9
                                                                                                                                                                            SHA1:12156E2B8F5E63860BEB86453039986930E6FEE1
                                                                                                                                                                            SHA-256:0F38B6DEC5EEB22C46A31D33022431DDEC7D5D924E32C01A8184083501E55F7F
                                                                                                                                                                            SHA-512:B24B1C92B86C0B85BFD112FCBD165562AC8BEA3DA6141F72B3258BB72EFCA483E4E9BC5BEF5089EFF26337705838B6DE0F77B703F24D4106F2025D1AD466346F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:........'...............P...............{41744BE4-11C5-494C-A213-BA0CE944938E}.....................RSA1..................v..XU~l2_.......vj....b.... ..&...X.Y...=q...).....`.1.0..~......5DL. ..S>.......<..y...*?YOA.... eb.QD..B..<.!..'J..+.'...4fu.z./....]@.y.b...o...).j'......0}B.*j..R..-..2.....'=...@....s....;. .v=..;...\$...G....2S....al.ZQ.Q...w...aXzW.....................z..O......B....IiD...tJ..V....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....U..\.M.4.uy.....:..}]ch...N.*............ ....V;........g..rf.d...BM..\..,t..P.... ?\i.QD.f.,%.&...d.).Y.j.m[.$...X.....W0.<....-.....9.Q*]sL..rU.{@.{...d....(...Ww......T7!.G!Pg.]...........-....#...,......g.gpvI...@..B.........ek...k.o......|^..|.b.}4.8.C.d.[..[....K.. .;..H.X.&%H.2!..e.<.pAn..j..W..\.Ld.l.+.W.yF....O.,...f.$O6..m.sr)z..;.{.z.......}..^......Eic.......g....4.{......xs.O|....L.+....>...2T.U.....0.......K.U.:Y.4....(e.......A....$.G.p....H.%\.KE.Q.\..-..;B.g.....)....

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Entropy (8bit):7.8115204801573555
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                            File name:GOmRjFSKNz.exe
                                                                                                                                                                            File size:967'740 bytes
                                                                                                                                                                            MD5:01ef5f0617d6cb995abe430c3c6c7acd
                                                                                                                                                                            SHA1:9d6cee782bce7762f58f2bf6c1c38218491e9f94
                                                                                                                                                                            SHA256:bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5
                                                                                                                                                                            SHA512:22c51adae0926d86adbe4501a96d0018b3eca5510cdf7bb9a40ae38f8c6ff46bf10b893e2e24d585ee2a84767ab67e3c3519f2d7c3192aad293e70c828bda5ec
                                                                                                                                                                            SSDEEP:24576:PXvK4Xot7jgUuQJ4RerTCk7Zp1sZKvsfzxSHcm:XVXohjgPQJMa7dULxS8m
                                                                                                                                                                            TLSH:1B25126245BB8897F26C0DB17422509636E6DC63C5AD4E7A32A6BF7D74318C14E2C32F
                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:00a4a4a0bafec6d9

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x403883
                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                            Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:5
                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                            File Version Major:5
                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                            Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                            Instruction
                                                                                                                                                                            sub esp, 000002D4h
                                                                                                                                                                            push ebx
                                                                                                                                                                            push ebp
                                                                                                                                                                            push esi
                                                                                                                                                                            push edi
                                                                                                                                                                            push 00000020h
                                                                                                                                                                            xor ebp, ebp
                                                                                                                                                                            pop esi
                                                                                                                                                                            mov dword ptr [esp+18h], ebp
                                                                                                                                                                            mov dword ptr [esp+10h], 00409268h
                                                                                                                                                                            mov dword ptr [esp+14h], ebp
                                                                                                                                                                            call dword ptr [00408030h]
                                                                                                                                                                            push 00008001h
                                                                                                                                                                            call dword ptr [004080B4h]
                                                                                                                                                                            push ebp
                                                                                                                                                                            call dword ptr [004082C0h]
                                                                                                                                                                            push 00000008h
                                                                                                                                                                            mov dword ptr [00472EB8h], eax
                                                                                                                                                                            call 00007F4C90D8123Bh
                                                                                                                                                                            push ebp
                                                                                                                                                                            push 000002B4h
                                                                                                                                                                            mov dword ptr [00472DD0h], eax
                                                                                                                                                                            lea eax, dword ptr [esp+38h]
                                                                                                                                                                            push eax
                                                                                                                                                                            push ebp
                                                                                                                                                                            push 00409264h
                                                                                                                                                                            call dword ptr [00408184h]
                                                                                                                                                                            push 0040924Ch
                                                                                                                                                                            push 0046ADC0h
                                                                                                                                                                            call 00007F4C90D80F1Dh
                                                                                                                                                                            call dword ptr [004080B0h]
                                                                                                                                                                            push eax
                                                                                                                                                                            mov edi, 004C30A0h
                                                                                                                                                                            push edi
                                                                                                                                                                            call 00007F4C90D80F0Bh
                                                                                                                                                                            push ebp
                                                                                                                                                                            call dword ptr [00408134h]
                                                                                                                                                                            cmp word ptr [004C30A0h], 0022h
                                                                                                                                                                            mov dword ptr [00472DD8h], eax
                                                                                                                                                                            mov eax, edi
                                                                                                                                                                            jne 00007F4C90D7E80Ah
                                                                                                                                                                            push 00000022h
                                                                                                                                                                            pop esi
                                                                                                                                                                            mov eax, 004C30A2h
                                                                                                                                                                            push esi
                                                                                                                                                                            push eax
                                                                                                                                                                            call 00007F4C90D80BE1h
                                                                                                                                                                            push eax
                                                                                                                                                                            call dword ptr [00408260h]
                                                                                                                                                                            mov esi, eax
                                                                                                                                                                            mov dword ptr [esp+1Ch], esi
                                                                                                                                                                            jmp 00007F4C90D7E893h
                                                                                                                                                                            push 00000020h
                                                                                                                                                                            pop ebx
                                                                                                                                                                            cmp ax, bx
                                                                                                                                                                            jne 00007F4C90D7E80Ah
                                                                                                                                                                            add esi, 02h
                                                                                                                                                                            cmp word ptr [esi], bx

                                                                                                                                                                            Rich Headers

                                                                                                                                                                            Programming Language:
                                                                                                                                                                            • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                            • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                            • [ C ] VS2010 SP1 build 40219
                                                                                                                                                                            • [RES] VS2010 SP1 build 40219
                                                                                                                                                                            • [LNK] VS2010 SP1 build 40219

                                                                                                                                                                            Data Directories

                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x18230.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .rsrc0xf40000x182300x18400aed7a309d71788055593343feb166489False0.13999073775773196data4.453157753333787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .reloc0x10d0000xf320x1000feac04c9105fefc599bb70f28a0362d6False0.2177734375data5.072514748524003IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                            Resources

                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                            RT_ICON0xf41f00x11028Device independent bitmap graphic, 128 x 256 x 32, image size 69632EnglishUnited States0.10019807096107475
                                                                                                                                                                            RT_ICON0x1052180x4428Device independent bitmap graphic, 64 x 128 x 32, image size 17408EnglishUnited States0.20821870701513068
                                                                                                                                                                            RT_ICON0x1096400x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.26078112286411714
                                                                                                                                                                            RT_DIALOG0x10bca80x100dataEnglishUnited States0.5234375
                                                                                                                                                                            RT_DIALOG0x10bda80x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                            RT_DIALOG0x10bec80x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                            RT_GROUP_ICON0x10bf280x30dataEnglishUnited States0.875
                                                                                                                                                                            RT_MANIFEST0x10bf580x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                                                                                                            Imports

                                                                                                                                                                            DLLImport
                                                                                                                                                                            KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                                                                                                            USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                                                                                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                                                                                                            SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                                                                                                            ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                                                                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                                                                            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                                                                                            VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                                                                                                            Possible Origin

                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                            EnglishUnited States

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Oct 15, 2024 17:04:13.055944920 CEST5000247928192.168.2.487.120.114.39
                                                                                                                                                                            Oct 15, 2024 17:04:13.061114073 CEST479285000287.120.114.39192.168.2.4
                                                                                                                                                                            Oct 15, 2024 17:04:13.061232090 CEST5000247928192.168.2.487.120.114.39
                                                                                                                                                                            Oct 15, 2024 17:04:13.069871902 CEST5000247928192.168.2.487.120.114.39
                                                                                                                                                                            Oct 15, 2024 17:04:13.074827909 CEST479285000287.120.114.39192.168.2.4
                                                                                                                                                                            Oct 15, 2024 17:04:21.558343887 CEST479285000287.120.114.39192.168.2.4
                                                                                                                                                                            Oct 15, 2024 17:04:21.558485985 CEST5000247928192.168.2.487.120.114.39
                                                                                                                                                                            Oct 15, 2024 17:04:21.582398891 CEST5000247928192.168.2.487.120.114.39

                                                                                                                                                                            UDP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Oct 15, 2024 17:02:22.822249889 CEST5369053192.168.2.41.1.1.1
                                                                                                                                                                            Oct 15, 2024 17:02:22.832077026 CEST53536901.1.1.1192.168.2.4

                                                                                                                                                                            DNS Queries

                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                            Oct 15, 2024 17:02:22.822249889 CEST192.168.2.41.1.1.10x89b5Standard query (0)GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNexA (IP address)IN (0x0001)false

                                                                                                                                                                            DNS Answers

                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                            Oct 15, 2024 17:02:22.832077026 CEST1.1.1.1192.168.2.40x89b5Name error (3)GRfewLDzqhRQJfpDiaidRNex.GRfewLDzqhRQJfpDiaidRNexnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                            Statistics

                                                                                                                                                                            CPU Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            Memory Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:0
                                                                                                                                                                            Start time:11:02:16
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Users\user\Desktop\GOmRjFSKNz.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\GOmRjFSKNz.exe"
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:967'740 bytes
                                                                                                                                                                            MD5 hash:01EF5F0617D6CB995ABE430C3C6C7ACD
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:1
                                                                                                                                                                            Start time:11:02:17
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c move Pediatric Pediatric.bat & Pediatric.bat
                                                                                                                                                                            Imagebase:0x240000
                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:2
                                                                                                                                                                            Start time:11:02:18
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:3
                                                                                                                                                                            Start time:11:02:19
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:tasklist
                                                                                                                                                                            Imagebase:0xb50000
                                                                                                                                                                            File size:79'360 bytes
                                                                                                                                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:4
                                                                                                                                                                            Start time:11:02:19
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:findstr /I "wrsa opssvc"
                                                                                                                                                                            Imagebase:0x4e0000
                                                                                                                                                                            File size:29'696 bytes
                                                                                                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:5
                                                                                                                                                                            Start time:11:02:20
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:tasklist
                                                                                                                                                                            Imagebase:0xb50000
                                                                                                                                                                            File size:79'360 bytes
                                                                                                                                                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:6
                                                                                                                                                                            Start time:11:02:20
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                                                                                                                                            Imagebase:0x4e0000
                                                                                                                                                                            File size:29'696 bytes
                                                                                                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:7
                                                                                                                                                                            Start time:11:02:20
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:cmd /c md 72076
                                                                                                                                                                            Imagebase:0x240000
                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:8
                                                                                                                                                                            Start time:11:02:20
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:findstr /V "SILICONLATINOAMPLANDBLOW" Words
                                                                                                                                                                            Imagebase:0x4e0000
                                                                                                                                                                            File size:29'696 bytes
                                                                                                                                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:9
                                                                                                                                                                            Start time:11:02:21
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:cmd /c copy /b ..\Indoor + ..\An + ..\Transport + ..\Strap + ..\Passed + ..\Treasure s
                                                                                                                                                                            Imagebase:0x240000
                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:10
                                                                                                                                                                            Start time:11:02:21
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\72076\Launches.pif
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:Launches.pif s
                                                                                                                                                                            Imagebase:0x740000
                                                                                                                                                                            File size:893'608 bytes
                                                                                                                                                                            MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2825546542.000000000519F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2833770879.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2825065700.0000000001DDD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2825688213.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2824672801.0000000001E5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2882687318.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2882687318.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2825305490.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2825305490.0000000001DD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2833826824.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2884666788.0000000001DDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2825915690.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2833895594.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2884370254.0000000001F02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000003.2884574282.0000000001E5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 5%, ReversingLabs
                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:11
                                                                                                                                                                            Start time:11:02:21
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\choice.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:choice /d y /t 5
                                                                                                                                                                            Imagebase:0xa50000
                                                                                                                                                                            File size:28'160 bytes
                                                                                                                                                                            MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:16
                                                                                                                                                                            Start time:11:04:01
                                                                                                                                                                            Start date:15/10/2024
                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\72076\RegAsm.exe
                                                                                                                                                                            Imagebase:0x260000
                                                                                                                                                                            File size:65'440 bytes
                                                                                                                                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000002.3032255109.0000000000342000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                            Has exited:false

                                                                                                                                                                            Disassembly

                                                                                                                                                                            Reset < >

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:17.7%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                              Signature Coverage:20.7%
                                                                                                                                                                              Total number of Nodes:1528
                                                                                                                                                                              Total number of Limit Nodes:33
                                                                                                                                                                              execution_graph 4343 402fc0 4344 401446 18 API calls 4343->4344 4345 402fc7 4344->4345 4346 403017 4345->4346 4347 40300a 4345->4347 4350 401a13 4345->4350 4348 406805 18 API calls 4346->4348 4349 401446 18 API calls 4347->4349 4348->4350 4349->4350 4351 4023c1 4352 40145c 18 API calls 4351->4352 4353 4023c8 4352->4353 4356 40726a 4353->4356 4359 406ed2 CreateFileW 4356->4359 4360 406f04 4359->4360 4361 406f1e ReadFile 4359->4361 4362 4062a3 11 API calls 4360->4362 4363 4023d6 4361->4363 4366 406f84 4361->4366 4362->4363 4364 4071e3 CloseHandle 4364->4363 4365 406f9b ReadFile lstrcpynA lstrcmpA 4365->4366 4367 406fe2 SetFilePointer ReadFile 4365->4367 4366->4363 4366->4364 4366->4365 4370 406fdd 4366->4370 4367->4364 4368 4070a8 ReadFile 4367->4368 4369 407138 4368->4369 4369->4368 4369->4370 4371 40715f SetFilePointer GlobalAlloc ReadFile 4369->4371 4370->4364 4372 4071a3 4371->4372 4373 4071bf lstrcpynW GlobalFree 4371->4373 4372->4372 4372->4373 4373->4364 4374 401cc3 4375 40145c 18 API calls 4374->4375 4376 401cca lstrlenW 4375->4376 4377 4030dc 4376->4377 4378 4030e3 4377->4378 4380 405f51 wsprintfW 4377->4380 4380->4378 4395 401c46 4396 40145c 18 API calls 4395->4396 4397 401c4c 4396->4397 4398 4062a3 11 API calls 4397->4398 4399 401c59 4398->4399 4400 406c9b 81 API calls 4399->4400 4401 401c64 4400->4401 4402 403049 4403 401446 18 API calls 4402->4403 4406 403050 4403->4406 4404 406805 18 API calls 4405 401a13 4404->4405 4406->4404 4406->4405 4407 40204a 4408 401446 18 API calls 4407->4408 4409 402051 IsWindow 4408->4409 4410 4018d3 4409->4410 4411 40324c 4412 403277 4411->4412 4413 40325e SetTimer 4411->4413 4414 4032cc 4412->4414 4415 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4412->4415 4413->4412 4415->4414 4416 4048cc 4417 4048f1 4416->4417 4418 4048da 4416->4418 4420 4048ff IsWindowVisible 4417->4420 4424 404916 4417->4424 4419 4048e0 4418->4419 4434 40495a 4418->4434 4421 403daf SendMessageW 4419->4421 4423 40490c 4420->4423 4420->4434 4425 4048ea 4421->4425 4422 404960 CallWindowProcW 4422->4425 4435 40484e SendMessageW 4423->4435 4424->4422 4440 406009 lstrcpynW 4424->4440 4428 404945 4441 405f51 wsprintfW 4428->4441 4430 40494c 4431 40141d 80 API calls 4430->4431 4432 404953 4431->4432 4442 406009 lstrcpynW 4432->4442 4434->4422 4436 404871 GetMessagePos ScreenToClient SendMessageW 4435->4436 4437 4048ab SendMessageW 4435->4437 4438 4048a3 4436->4438 4439 4048a8 4436->4439 4437->4438 4438->4424 4439->4437 4440->4428 4441->4430 4442->4434 4443 4022cc 4444 40145c 18 API calls 4443->4444 4445 4022d3 4444->4445 4446 4062d5 2 API calls 4445->4446 4447 4022d9 4446->4447 4448 4022e8 4447->4448 4452 405f51 wsprintfW 4447->4452 4451 4030e3 4448->4451 4453 405f51 wsprintfW 4448->4453 4452->4448 4453->4451 4223 4050cd 4224 405295 4223->4224 4225 4050ee GetDlgItem GetDlgItem GetDlgItem 4223->4225 4226 4052c6 4224->4226 4227 40529e GetDlgItem CreateThread CloseHandle 4224->4227 4272 403d98 SendMessageW 4225->4272 4229 4052f4 4226->4229 4231 4052e0 ShowWindow ShowWindow 4226->4231 4232 405316 4226->4232 4227->4226 4275 405047 83 API calls 4227->4275 4233 405352 4229->4233 4235 405305 4229->4235 4236 40532b ShowWindow 4229->4236 4230 405162 4243 406805 18 API calls 4230->4243 4274 403d98 SendMessageW 4231->4274 4237 403dca 8 API calls 4232->4237 4233->4232 4238 40535d SendMessageW 4233->4238 4239 403d18 SendMessageW 4235->4239 4241 40534b 4236->4241 4242 40533d 4236->4242 4240 40528e 4237->4240 4238->4240 4245 405376 CreatePopupMenu 4238->4245 4239->4232 4244 403d18 SendMessageW 4241->4244 4246 404f72 25 API calls 4242->4246 4247 405181 4243->4247 4244->4233 4248 406805 18 API calls 4245->4248 4246->4241 4249 4062a3 11 API calls 4247->4249 4251 405386 AppendMenuW 4248->4251 4250 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4249->4250 4252 4051f3 4250->4252 4253 4051d7 SendMessageW SendMessageW 4250->4253 4254 405399 GetWindowRect 4251->4254 4255 4053ac 4251->4255 4256 405206 4252->4256 4257 4051f8 SendMessageW 4252->4257 4253->4252 4258 4053b3 TrackPopupMenu 4254->4258 4255->4258 4259 403d3f 19 API calls 4256->4259 4257->4256 4258->4240 4260 4053d1 4258->4260 4261 405216 4259->4261 4262 4053ed SendMessageW 4260->4262 4263 405253 GetDlgItem SendMessageW 4261->4263 4264 40521f ShowWindow 4261->4264 4262->4262 4265 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4262->4265 4263->4240 4268 405276 SendMessageW SendMessageW 4263->4268 4266 405242 4264->4266 4267 405235 ShowWindow 4264->4267 4269 40542f SendMessageW 4265->4269 4273 403d98 SendMessageW 4266->4273 4267->4266 4268->4240 4269->4269 4270 40545a GlobalUnlock SetClipboardData CloseClipboard 4269->4270 4270->4240 4272->4230 4273->4263 4274->4229 4454 4030cf 4455 40145c 18 API calls 4454->4455 4456 4030d6 4455->4456 4458 4030dc 4456->4458 4461 4063ac GlobalAlloc lstrlenW 4456->4461 4459 4030e3 4458->4459 4488 405f51 wsprintfW 4458->4488 4462 4063e2 4461->4462 4463 406434 4461->4463 4464 40640f GetVersionExW 4462->4464 4489 40602b CharUpperW 4462->4489 4463->4458 4464->4463 4465 40643e 4464->4465 4466 406464 LoadLibraryA 4465->4466 4467 40644d 4465->4467 4466->4463 4470 406482 GetProcAddress GetProcAddress GetProcAddress 4466->4470 4467->4463 4469 406585 GlobalFree 4467->4469 4471 40659b LoadLibraryA 4469->4471 4472 4066dd FreeLibrary 4469->4472 4475 4064aa 4470->4475 4478 4065f5 4470->4478 4471->4463 4474 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4471->4474 4472->4463 4473 406651 FreeLibrary 4482 40662a 4473->4482 4474->4478 4476 4064ce FreeLibrary GlobalFree 4475->4476 4475->4478 4484 4064ea 4475->4484 4476->4463 4477 4066ea 4480 4066ef CloseHandle FreeLibrary 4477->4480 4478->4473 4478->4482 4479 4064fc lstrcpyW OpenProcess 4481 40654f CloseHandle CharUpperW lstrcmpW 4479->4481 4479->4484 4483 406704 CloseHandle 4480->4483 4481->4478 4481->4484 4482->4477 4485 406685 lstrcmpW 4482->4485 4486 4066b6 CloseHandle 4482->4486 4487 4066d4 CloseHandle 4482->4487 4483->4480 4484->4469 4484->4479 4484->4481 4485->4482 4485->4483 4486->4482 4487->4472 4488->4459 4489->4462 4490 407752 4494 407344 4490->4494 4491 407c6d 4492 4073c2 GlobalFree 4493 4073cb GlobalAlloc 4492->4493 4493->4491 4493->4494 4494->4491 4494->4492 4494->4493 4494->4494 4495 407443 GlobalAlloc 4494->4495 4496 40743a GlobalFree 4494->4496 4495->4491 4495->4494 4496->4495 4497 401dd3 4498 401446 18 API calls 4497->4498 4499 401dda 4498->4499 4500 401446 18 API calls 4499->4500 4501 4018d3 4500->4501 4509 402e55 4510 40145c 18 API calls 4509->4510 4511 402e63 4510->4511 4512 402e79 4511->4512 4513 40145c 18 API calls 4511->4513 4514 405e30 2 API calls 4512->4514 4513->4512 4515 402e7f 4514->4515 4539 405e50 GetFileAttributesW CreateFileW 4515->4539 4517 402e8c 4518 402f35 4517->4518 4519 402e98 GlobalAlloc 4517->4519 4522 4062a3 11 API calls 4518->4522 4520 402eb1 4519->4520 4521 402f2c CloseHandle 4519->4521 4540 403368 SetFilePointer 4520->4540 4521->4518 4524 402f45 4522->4524 4526 402f50 DeleteFileW 4524->4526 4527 402f63 4524->4527 4525 402eb7 4529 403336 ReadFile 4525->4529 4526->4527 4541 401435 4527->4541 4530 402ec0 GlobalAlloc 4529->4530 4531 402ed0 4530->4531 4532 402f04 WriteFile GlobalFree 4530->4532 4533 40337f 37 API calls 4531->4533 4534 40337f 37 API calls 4532->4534 4538 402edd 4533->4538 4535 402f29 4534->4535 4535->4521 4537 402efb GlobalFree 4537->4532 4538->4537 4539->4517 4540->4525 4542 404f72 25 API calls 4541->4542 4543 401443 4542->4543 4544 401cd5 4545 401446 18 API calls 4544->4545 4546 401cdd 4545->4546 4547 401446 18 API calls 4546->4547 4548 401ce8 4547->4548 4549 40145c 18 API calls 4548->4549 4550 401cf1 4549->4550 4551 401d07 lstrlenW 4550->4551 4552 401d43 4550->4552 4553 401d11 4551->4553 4553->4552 4557 406009 lstrcpynW 4553->4557 4555 401d2c 4555->4552 4556 401d39 lstrlenW 4555->4556 4556->4552 4557->4555 4558 403cd6 4559 403ce1 4558->4559 4560 403ce5 4559->4560 4561 403ce8 GlobalAlloc 4559->4561 4561->4560 4562 402cd7 4563 401446 18 API calls 4562->4563 4566 402c64 4563->4566 4564 402d99 4565 402d17 ReadFile 4565->4566 4566->4562 4566->4564 4566->4565 4567 402dd8 4568 402ddf 4567->4568 4569 4030e3 4567->4569 4570 402de5 FindClose 4568->4570 4570->4569 4571 401d5c 4572 40145c 18 API calls 4571->4572 4573 401d63 4572->4573 4574 40145c 18 API calls 4573->4574 4575 401d6c 4574->4575 4576 401d73 lstrcmpiW 4575->4576 4577 401d86 lstrcmpW 4575->4577 4578 401d79 4576->4578 4577->4578 4579 401c99 4577->4579 4578->4577 4578->4579 4281 407c5f 4282 407344 4281->4282 4283 4073c2 GlobalFree 4282->4283 4284 4073cb GlobalAlloc 4282->4284 4285 407c6d 4282->4285 4286 407443 GlobalAlloc 4282->4286 4287 40743a GlobalFree 4282->4287 4283->4284 4284->4282 4284->4285 4286->4282 4286->4285 4287->4286 4580 404363 4581 404373 4580->4581 4582 40439c 4580->4582 4584 403d3f 19 API calls 4581->4584 4583 403dca 8 API calls 4582->4583 4585 4043a8 4583->4585 4586 404380 SetDlgItemTextW 4584->4586 4586->4582 4587 4027e3 4588 4027e9 4587->4588 4589 4027f2 4588->4589 4590 402836 4588->4590 4603 401553 4589->4603 4591 40145c 18 API calls 4590->4591 4593 40283d 4591->4593 4595 4062a3 11 API calls 4593->4595 4594 4027f9 4596 40145c 18 API calls 4594->4596 4601 401a13 4594->4601 4597 40284d 4595->4597 4598 40280a RegDeleteValueW 4596->4598 4607 40149d RegOpenKeyExW 4597->4607 4599 4062a3 11 API calls 4598->4599 4602 40282a RegCloseKey 4599->4602 4602->4601 4604 401563 4603->4604 4605 40145c 18 API calls 4604->4605 4606 401589 RegOpenKeyExW 4605->4606 4606->4594 4613 401515 4607->4613 4615 4014c9 4607->4615 4608 4014ef RegEnumKeyW 4609 401501 RegCloseKey 4608->4609 4608->4615 4610 4062fc 3 API calls 4609->4610 4612 401511 4610->4612 4611 401526 RegCloseKey 4611->4613 4612->4613 4616 401541 RegDeleteKeyW 4612->4616 4613->4601 4614 40149d 3 API calls 4614->4615 4615->4608 4615->4609 4615->4611 4615->4614 4616->4613 4617 403f64 4618 403f90 4617->4618 4619 403f74 4617->4619 4621 403fc3 4618->4621 4622 403f96 SHGetPathFromIDListW 4618->4622 4628 405c84 GetDlgItemTextW 4619->4628 4624 403fad SendMessageW 4622->4624 4625 403fa6 4622->4625 4623 403f81 SendMessageW 4623->4618 4624->4621 4626 40141d 80 API calls 4625->4626 4626->4624 4628->4623 4629 402ae4 4630 402aeb 4629->4630 4631 4030e3 4629->4631 4632 402af2 CloseHandle 4630->4632 4632->4631 4633 402065 4634 401446 18 API calls 4633->4634 4635 40206d 4634->4635 4636 401446 18 API calls 4635->4636 4637 402076 GetDlgItem 4636->4637 4638 4030dc 4637->4638 4639 4030e3 4638->4639 4641 405f51 wsprintfW 4638->4641 4641->4639 4642 402665 4643 40145c 18 API calls 4642->4643 4644 40266b 4643->4644 4645 40145c 18 API calls 4644->4645 4646 402674 4645->4646 4647 40145c 18 API calls 4646->4647 4648 40267d 4647->4648 4649 4062a3 11 API calls 4648->4649 4650 40268c 4649->4650 4651 4062d5 2 API calls 4650->4651 4652 402695 4651->4652 4653 4026a6 lstrlenW lstrlenW 4652->4653 4654 404f72 25 API calls 4652->4654 4657 4030e3 4652->4657 4655 404f72 25 API calls 4653->4655 4654->4652 4656 4026e8 SHFileOperationW 4655->4656 4656->4652 4656->4657 4665 401c69 4666 40145c 18 API calls 4665->4666 4667 401c70 4666->4667 4668 4062a3 11 API calls 4667->4668 4669 401c80 4668->4669 4670 405ca0 MessageBoxIndirectW 4669->4670 4671 401a13 4670->4671 4679 402f6e 4680 402f72 4679->4680 4681 402fae 4679->4681 4682 4062a3 11 API calls 4680->4682 4683 40145c 18 API calls 4681->4683 4684 402f7d 4682->4684 4689 402f9d 4683->4689 4685 4062a3 11 API calls 4684->4685 4686 402f90 4685->4686 4687 402fa2 4686->4687 4688 402f98 4686->4688 4691 4060e7 9 API calls 4687->4691 4690 403e74 5 API calls 4688->4690 4690->4689 4691->4689 4692 4023f0 4693 402403 4692->4693 4694 4024da 4692->4694 4695 40145c 18 API calls 4693->4695 4696 404f72 25 API calls 4694->4696 4697 40240a 4695->4697 4702 4024f1 4696->4702 4698 40145c 18 API calls 4697->4698 4699 402413 4698->4699 4700 402429 LoadLibraryExW 4699->4700 4701 40241b GetModuleHandleW 4699->4701 4703 40243e 4700->4703 4704 4024ce 4700->4704 4701->4700 4701->4703 4716 406365 GlobalAlloc WideCharToMultiByte 4703->4716 4705 404f72 25 API calls 4704->4705 4705->4694 4707 402449 4708 40248c 4707->4708 4709 40244f 4707->4709 4710 404f72 25 API calls 4708->4710 4712 401435 25 API calls 4709->4712 4714 40245f 4709->4714 4711 402496 4710->4711 4713 4062a3 11 API calls 4711->4713 4712->4714 4713->4714 4714->4702 4715 4024c0 FreeLibrary 4714->4715 4715->4702 4717 406390 GetProcAddress 4716->4717 4718 40639d GlobalFree 4716->4718 4717->4718 4718->4707 4719 402df3 4720 402dfa 4719->4720 4722 4019ec 4719->4722 4721 402e07 FindNextFileW 4720->4721 4721->4722 4723 402e16 4721->4723 4725 406009 lstrcpynW 4723->4725 4725->4722 4078 402175 4079 401446 18 API calls 4078->4079 4080 40217c 4079->4080 4081 401446 18 API calls 4080->4081 4082 402186 4081->4082 4083 4062a3 11 API calls 4082->4083 4087 402197 4082->4087 4083->4087 4084 4021aa EnableWindow 4086 4030e3 4084->4086 4085 40219f ShowWindow 4085->4086 4087->4084 4087->4085 4733 404077 4734 404081 4733->4734 4735 404084 lstrcpynW lstrlenW 4733->4735 4734->4735 4104 405479 4105 405491 4104->4105 4106 4055cd 4104->4106 4105->4106 4107 40549d 4105->4107 4108 40561e 4106->4108 4109 4055de GetDlgItem GetDlgItem 4106->4109 4110 4054a8 SetWindowPos 4107->4110 4111 4054bb 4107->4111 4113 405678 4108->4113 4121 40139d 80 API calls 4108->4121 4112 403d3f 19 API calls 4109->4112 4110->4111 4115 4054c0 ShowWindow 4111->4115 4116 4054d8 4111->4116 4117 405608 SetClassLongW 4112->4117 4114 403daf SendMessageW 4113->4114 4134 4055c8 4113->4134 4144 40568a 4114->4144 4115->4116 4118 4054e0 DestroyWindow 4116->4118 4119 4054fa 4116->4119 4120 40141d 80 API calls 4117->4120 4173 4058dc 4118->4173 4122 405510 4119->4122 4123 4054ff SetWindowLongW 4119->4123 4120->4108 4124 405650 4121->4124 4127 4055b9 4122->4127 4128 40551c GetDlgItem 4122->4128 4123->4134 4124->4113 4129 405654 SendMessageW 4124->4129 4125 40141d 80 API calls 4125->4144 4126 4058de DestroyWindow KiUserCallbackDispatcher 4126->4173 4183 403dca 4127->4183 4132 40554c 4128->4132 4133 40552f SendMessageW IsWindowEnabled 4128->4133 4129->4134 4131 40590d ShowWindow 4131->4134 4136 405559 4132->4136 4137 4055a0 SendMessageW 4132->4137 4138 40556c 4132->4138 4147 405551 4132->4147 4133->4132 4133->4134 4135 406805 18 API calls 4135->4144 4136->4137 4136->4147 4137->4127 4141 405574 4138->4141 4142 405589 4138->4142 4140 403d3f 19 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4146 40141d 80 API calls 4142->4146 4143 405587 4143->4127 4144->4125 4144->4126 4144->4134 4144->4135 4144->4140 4164 40581e DestroyWindow 4144->4164 4174 403d3f 4144->4174 4145->4147 4148 405590 4146->4148 4180 403d18 4147->4180 4148->4127 4148->4147 4150 405705 GetDlgItem 4151 405723 ShowWindow KiUserCallbackDispatcher 4150->4151 4152 40571a 4150->4152 4177 403d85 KiUserCallbackDispatcher 4151->4177 4152->4151 4154 40574d EnableWindow 4157 405761 4154->4157 4155 405766 GetSystemMenu EnableMenuItem SendMessageW 4156 405796 SendMessageW 4155->4156 4155->4157 4156->4157 4157->4155 4178 403d98 SendMessageW 4157->4178 4179 406009 lstrcpynW 4157->4179 4160 4057c4 lstrlenW 4161 406805 18 API calls 4160->4161 4162 4057da SetWindowTextW 4161->4162 4163 40139d 80 API calls 4162->4163 4163->4144 4165 405838 CreateDialogParamW 4164->4165 4164->4173 4166 40586b 4165->4166 4165->4173 4167 403d3f 19 API calls 4166->4167 4168 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4167->4168 4169 40139d 80 API calls 4168->4169 4170 4058bc 4169->4170 4170->4134 4171 4058c4 ShowWindow 4170->4171 4172 403daf SendMessageW 4171->4172 4172->4173 4173->4131 4173->4134 4175 406805 18 API calls 4174->4175 4176 403d4a SetDlgItemTextW 4175->4176 4176->4150 4177->4154 4178->4157 4179->4160 4181 403d25 SendMessageW 4180->4181 4182 403d1f 4180->4182 4181->4143 4182->4181 4184 403ddf GetWindowLongW 4183->4184 4194 403e68 4183->4194 4185 403df0 4184->4185 4184->4194 4186 403e02 4185->4186 4187 403dff GetSysColor 4185->4187 4188 403e12 SetBkMode 4186->4188 4189 403e08 SetTextColor 4186->4189 4187->4186 4190 403e30 4188->4190 4191 403e2a GetSysColor 4188->4191 4189->4188 4192 403e41 4190->4192 4193 403e37 SetBkColor 4190->4193 4191->4190 4192->4194 4195 403e54 DeleteObject 4192->4195 4196 403e5b CreateBrushIndirect 4192->4196 4193->4192 4194->4134 4195->4196 4196->4194 4736 4020f9 GetDC GetDeviceCaps 4737 401446 18 API calls 4736->4737 4738 402116 MulDiv 4737->4738 4739 401446 18 API calls 4738->4739 4740 40212c 4739->4740 4741 406805 18 API calls 4740->4741 4742 402165 CreateFontIndirectW 4741->4742 4743 4030dc 4742->4743 4744 4030e3 4743->4744 4746 405f51 wsprintfW 4743->4746 4746->4744 4747 4024fb 4748 40145c 18 API calls 4747->4748 4749 402502 4748->4749 4750 40145c 18 API calls 4749->4750 4751 40250c 4750->4751 4752 40145c 18 API calls 4751->4752 4753 402515 4752->4753 4754 40145c 18 API calls 4753->4754 4755 40251f 4754->4755 4756 40145c 18 API calls 4755->4756 4757 402529 4756->4757 4758 40253d 4757->4758 4759 40145c 18 API calls 4757->4759 4760 4062a3 11 API calls 4758->4760 4759->4758 4761 40256a CoCreateInstance 4760->4761 4762 40258c 4761->4762 4763 40497c GetDlgItem GetDlgItem 4764 4049d2 7 API calls 4763->4764 4769 404bea 4763->4769 4765 404a76 DeleteObject 4764->4765 4766 404a6a SendMessageW 4764->4766 4767 404a81 4765->4767 4766->4765 4770 404ab8 4767->4770 4772 406805 18 API calls 4767->4772 4768 404ccf 4771 404d74 4768->4771 4776 404bdd 4768->4776 4781 404d1e SendMessageW 4768->4781 4769->4768 4779 40484e 5 API calls 4769->4779 4792 404c5a 4769->4792 4775 403d3f 19 API calls 4770->4775 4773 404d89 4771->4773 4774 404d7d SendMessageW 4771->4774 4778 404a9a SendMessageW SendMessageW 4772->4778 4783 404da2 4773->4783 4784 404d9b ImageList_Destroy 4773->4784 4794 404db2 4773->4794 4774->4773 4780 404acc 4775->4780 4782 403dca 8 API calls 4776->4782 4777 404cc1 SendMessageW 4777->4768 4778->4767 4779->4792 4785 403d3f 19 API calls 4780->4785 4781->4776 4787 404d33 SendMessageW 4781->4787 4788 404f6b 4782->4788 4789 404dab GlobalFree 4783->4789 4783->4794 4784->4783 4790 404add 4785->4790 4786 404f1c 4786->4776 4795 404f31 ShowWindow GetDlgItem ShowWindow 4786->4795 4791 404d46 4787->4791 4789->4794 4793 404baa GetWindowLongW SetWindowLongW 4790->4793 4802 404ba4 4790->4802 4805 404b39 SendMessageW 4790->4805 4806 404b67 SendMessageW 4790->4806 4807 404b7b SendMessageW 4790->4807 4801 404d57 SendMessageW 4791->4801 4792->4768 4792->4777 4796 404bc4 4793->4796 4794->4786 4797 404de4 4794->4797 4800 40141d 80 API calls 4794->4800 4795->4776 4798 404be2 4796->4798 4799 404bca ShowWindow 4796->4799 4810 404e12 SendMessageW 4797->4810 4813 404e28 4797->4813 4815 403d98 SendMessageW 4798->4815 4814 403d98 SendMessageW 4799->4814 4800->4797 4801->4771 4802->4793 4802->4796 4805->4790 4806->4790 4807->4790 4808 404ef3 InvalidateRect 4808->4786 4809 404f09 4808->4809 4816 4043ad 4809->4816 4810->4813 4812 404ea1 SendMessageW SendMessageW 4812->4813 4813->4808 4813->4812 4814->4776 4815->4769 4817 4043cd 4816->4817 4818 406805 18 API calls 4817->4818 4819 40440d 4818->4819 4820 406805 18 API calls 4819->4820 4821 404418 4820->4821 4822 406805 18 API calls 4821->4822 4823 404428 lstrlenW wsprintfW SetDlgItemTextW 4822->4823 4823->4786 4824 4026fc 4825 401ee4 4824->4825 4827 402708 4824->4827 4825->4824 4826 406805 18 API calls 4825->4826 4826->4825 4276 4019fd 4277 40145c 18 API calls 4276->4277 4278 401a04 4277->4278 4279 405e7f 2 API calls 4278->4279 4280 401a0b 4279->4280 4828 4022fd 4829 40145c 18 API calls 4828->4829 4830 402304 GetFileVersionInfoSizeW 4829->4830 4831 40232b GlobalAlloc 4830->4831 4835 4030e3 4830->4835 4832 40233f GetFileVersionInfoW 4831->4832 4831->4835 4833 402350 VerQueryValueW 4832->4833 4834 402381 GlobalFree 4832->4834 4833->4834 4837 402369 4833->4837 4834->4835 4841 405f51 wsprintfW 4837->4841 4839 402375 4842 405f51 wsprintfW 4839->4842 4841->4839 4842->4834 4843 402afd 4844 40145c 18 API calls 4843->4844 4845 402b04 4844->4845 4850 405e50 GetFileAttributesW CreateFileW 4845->4850 4847 402b10 4848 4030e3 4847->4848 4851 405f51 wsprintfW 4847->4851 4850->4847 4851->4848 4852 4029ff 4853 401553 19 API calls 4852->4853 4854 402a09 4853->4854 4855 40145c 18 API calls 4854->4855 4856 402a12 4855->4856 4857 402a1f RegQueryValueExW 4856->4857 4859 401a13 4856->4859 4858 402a3f 4857->4858 4862 402a45 4857->4862 4858->4862 4863 405f51 wsprintfW 4858->4863 4861 4029e4 RegCloseKey 4861->4859 4862->4859 4862->4861 4863->4862 4864 401000 4865 401037 BeginPaint GetClientRect 4864->4865 4866 40100c DefWindowProcW 4864->4866 4868 4010fc 4865->4868 4869 401182 4866->4869 4870 401073 CreateBrushIndirect FillRect DeleteObject 4868->4870 4871 401105 4868->4871 4870->4868 4872 401170 EndPaint 4871->4872 4873 40110b CreateFontIndirectW 4871->4873 4872->4869 4873->4872 4874 40111b 6 API calls 4873->4874 4874->4872 4875 401f80 4876 401446 18 API calls 4875->4876 4877 401f88 4876->4877 4878 401446 18 API calls 4877->4878 4879 401f93 4878->4879 4880 401fa3 4879->4880 4881 40145c 18 API calls 4879->4881 4882 401fb3 4880->4882 4883 40145c 18 API calls 4880->4883 4881->4880 4884 402006 4882->4884 4885 401fbc 4882->4885 4883->4882 4887 40145c 18 API calls 4884->4887 4886 401446 18 API calls 4885->4886 4889 401fc4 4886->4889 4888 40200d 4887->4888 4890 40145c 18 API calls 4888->4890 4891 401446 18 API calls 4889->4891 4892 402016 FindWindowExW 4890->4892 4893 401fce 4891->4893 4897 402036 4892->4897 4894 401ff6 SendMessageW 4893->4894 4895 401fd8 SendMessageTimeoutW 4893->4895 4894->4897 4895->4897 4896 4030e3 4897->4896 4899 405f51 wsprintfW 4897->4899 4899->4896 4900 402880 4901 402884 4900->4901 4902 40145c 18 API calls 4901->4902 4903 4028a7 4902->4903 4904 40145c 18 API calls 4903->4904 4905 4028b1 4904->4905 4906 4028ba RegCreateKeyExW 4905->4906 4907 4028e8 4906->4907 4914 4029ef 4906->4914 4908 402934 4907->4908 4909 40145c 18 API calls 4907->4909 4910 402963 4908->4910 4913 401446 18 API calls 4908->4913 4912 4028fc lstrlenW 4909->4912 4911 4029ae RegSetValueExW 4910->4911 4915 40337f 37 API calls 4910->4915 4918 4029c6 RegCloseKey 4911->4918 4919 4029cb 4911->4919 4916 402918 4912->4916 4917 40292a 4912->4917 4920 402947 4913->4920 4921 40297b 4915->4921 4922 4062a3 11 API calls 4916->4922 4923 4062a3 11 API calls 4917->4923 4918->4914 4924 4062a3 11 API calls 4919->4924 4925 4062a3 11 API calls 4920->4925 4931 406224 4921->4931 4927 402922 4922->4927 4923->4908 4924->4918 4925->4910 4927->4911 4930 4062a3 11 API calls 4930->4927 4932 406247 4931->4932 4933 40628a 4932->4933 4934 40625c wsprintfW 4932->4934 4935 402991 4933->4935 4936 406293 lstrcatW 4933->4936 4934->4933 4934->4934 4935->4930 4936->4935 4937 402082 4938 401446 18 API calls 4937->4938 4939 402093 SetWindowLongW 4938->4939 4940 4030e3 4939->4940 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3966 403c83 3640->3966 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4023 406009 lstrcpynW 3651->4023 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4024 405e50 GetFileAttributesW CreateFileW 3674->4024 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4027 406009 lstrcpynW 3684->4027 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4025 405f51 wsprintfW 3696->4025 4026 406009 lstrcpynW 3696->4026 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4028 406a99 lstrcpyW 3704->4028 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3965 406009 lstrcpynW 3820->3965 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3915 40160c 3834->3915 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3915 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3942 40145c 3842->3942 3859 40145c 18 API calls 3843->3859 3957 401446 3844->3957 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3915 3847->3915 3964 405f51 wsprintfW 3847->3964 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3915 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3915 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3915 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3915 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3915 3879 4062a3 11 API calls 3868->3879 3869->3915 3870->3915 3871->3915 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3960 4062d5 FindFirstFileW 3874->3960 3885 40197f 3875->3885 3928 4019a1 3875->3928 3877 40169a 3887 4062a3 11 API calls 3877->3887 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3910 4062d5 2 API calls 3885->3910 3885->3928 3895 4016a7 3887->3895 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3915 3908 404f72 25 API calls 3892->3908 3904 4016b1 Sleep 3895->3904 3905 4016ae 3895->3905 3896 4019b8 GetShortPathNameW 3896->3915 3906 4018f5 3897->3906 3898->3915 3899->3915 3907 4062a3 11 API calls 3900->3907 3901 4018c2 3911 4062a3 11 API calls 3901->3911 3902 4018a9 3909 4062a3 11 API calls 3902->3909 3904->3915 3905->3904 3913 4062a3 11 API calls 3906->3913 3907->3915 3908->3915 3909->3915 3914 401991 3910->3914 3911->3915 3912 4017d4 3916 401864 3912->3916 3919 405d06 CharNextW 3912->3919 3937 4062a3 11 API calls 3912->3937 3917 401902 MoveFileW 3913->3917 3914->3928 3963 406009 lstrcpynW 3914->3963 3915->3832 3916->3892 3918 40186e 3916->3918 3920 401912 3917->3920 3921 40191e 3917->3921 3922 404f72 25 API calls 3918->3922 3924 4017e6 CreateDirectoryW 3919->3924 3920->3892 3926 401942 3921->3926 3931 4062d5 2 API calls 3921->3931 3927 401875 3922->3927 3924->3912 3925 4017fe GetLastError 3924->3925 3929 401827 GetFileAttributesW 3925->3929 3930 40180b GetLastError 3925->3930 3936 4062a3 11 API calls 3926->3936 3956 406009 lstrcpynW 3927->3956 3928->3896 3928->3915 3929->3912 3933 4062a3 11 API calls 3930->3933 3934 401929 3931->3934 3933->3912 3934->3926 3939 406c68 42 API calls 3934->3939 3935 401882 SetCurrentDirectoryW 3935->3915 3938 40195c 3936->3938 3937->3912 3938->3915 3940 401936 3939->3940 3941 404f72 25 API calls 3940->3941 3941->3926 3943 406805 18 API calls 3942->3943 3944 401488 3943->3944 3945 401497 3944->3945 3946 406038 5 API calls 3944->3946 3947 4062a3 lstrlenW wvsprintfW 3945->3947 3946->3945 3948 4060e7 9 API calls 3947->3948 3949 4017c9 3948->3949 3950 405d59 CharNextW CharNextW 3949->3950 3951 405d76 3950->3951 3952 405d88 3950->3952 3951->3952 3953 405d83 CharNextW 3951->3953 3954 405dac 3952->3954 3955 405d06 CharNextW 3952->3955 3953->3954 3954->3912 3955->3952 3956->3935 3958 406805 18 API calls 3957->3958 3959 401455 3958->3959 3959->3877 3961 4018a5 3960->3961 3962 4062eb FindClose 3960->3962 3961->3901 3961->3902 3962->3961 3963->3928 3964->3915 3965->3822 3967 403c91 3966->3967 3968 403876 3967->3968 3969 403c96 FreeLibrary GlobalFree 3967->3969 3970 406c9b 3968->3970 3969->3968 3969->3969 3971 40677e 18 API calls 3970->3971 3972 406cae 3971->3972 3973 406cb7 DeleteFileW 3972->3973 3974 406cce 3972->3974 4014 403882 CoUninitialize 3973->4014 3975 406e4b 3974->3975 4018 406009 lstrcpynW 3974->4018 3981 4062d5 2 API calls 3975->3981 4003 406e58 3975->4003 3975->4014 3977 406cf9 3978 406d03 lstrcatW 3977->3978 3979 406d0d 3977->3979 3980 406d13 3978->3980 3982 406751 2 API calls 3979->3982 3984 406d23 lstrcatW 3980->3984 3985 406d19 3980->3985 3983 406e64 3981->3983 3982->3980 3988 406722 3 API calls 3983->3988 3983->4014 3987 406d2b lstrlenW FindFirstFileW 3984->3987 3985->3984 3985->3987 3986 4062a3 11 API calls 3986->4014 3989 406e3b 3987->3989 3993 406d52 3987->3993 3990 406e6e 3988->3990 3989->3975 3992 4062a3 11 API calls 3990->3992 3991 405d06 CharNextW 3991->3993 3994 406e79 3992->3994 3993->3991 3997 406e18 FindNextFileW 3993->3997 4006 406c9b 72 API calls 3993->4006 4013 404f72 25 API calls 3993->4013 4015 4062a3 11 API calls 3993->4015 4016 404f72 25 API calls 3993->4016 4017 406c68 42 API calls 3993->4017 4019 406009 lstrcpynW 3993->4019 4020 405e30 GetFileAttributesW 3993->4020 3995 405e30 2 API calls 3994->3995 3996 406e81 RemoveDirectoryW 3995->3996 4000 406ec4 3996->4000 4001 406e8d 3996->4001 3997->3993 3999 406e30 FindClose 3997->3999 3999->3989 4002 404f72 25 API calls 4000->4002 4001->4003 4004 406e93 4001->4004 4002->4014 4003->3986 4005 4062a3 11 API calls 4004->4005 4007 406e9d 4005->4007 4006->3993 4009 404f72 25 API calls 4007->4009 4011 406ea7 4009->4011 4012 406c68 42 API calls 4011->4012 4012->4014 4013->3997 4014->3491 4014->3492 4015->3993 4016->3993 4017->3993 4018->3977 4019->3993 4021 405e4d DeleteFileW 4020->4021 4022 405e3f SetFileAttributesW 4020->4022 4021->3993 4022->4021 4023->3653 4024->3677 4025->3696 4026->3696 4027->3685 4029 406ae7 GetShortPathNameW 4028->4029 4030 406abe 4028->4030 4031 406b00 4029->4031 4032 406c62 4029->4032 4054 405e50 GetFileAttributesW CreateFileW 4030->4054 4031->4032 4034 406b08 WideCharToMultiByte 4031->4034 4032->3706 4034->4032 4036 406b25 WideCharToMultiByte 4034->4036 4035 406ac7 CloseHandle GetShortPathNameW 4035->4032 4037 406adf 4035->4037 4036->4032 4038 406b3d wsprintfA 4036->4038 4037->4029 4037->4032 4039 406805 18 API calls 4038->4039 4040 406b69 4039->4040 4055 405e50 GetFileAttributesW CreateFileW 4040->4055 4042 406b76 4042->4032 4043 406b83 GetFileSize GlobalAlloc 4042->4043 4044 406ba4 ReadFile 4043->4044 4045 406c58 CloseHandle 4043->4045 4044->4045 4046 406bbe 4044->4046 4045->4032 4046->4045 4056 405db6 lstrlenA 4046->4056 4049 406bd7 lstrcpyA 4052 406bf9 4049->4052 4050 406beb 4051 405db6 4 API calls 4050->4051 4051->4052 4053 406c30 SetFilePointer WriteFile GlobalFree 4052->4053 4053->4045 4054->4035 4055->4042 4057 405df7 lstrlenA 4056->4057 4058 405dd0 lstrcmpiA 4057->4058 4059 405dff 4057->4059 4058->4059 4060 405dee CharNextA 4058->4060 4059->4049 4059->4050 4060->4057 4941 402a84 4942 401553 19 API calls 4941->4942 4943 402a8e 4942->4943 4944 401446 18 API calls 4943->4944 4945 402a98 4944->4945 4946 401a13 4945->4946 4947 402ab2 RegEnumKeyW 4945->4947 4948 402abe RegEnumValueW 4945->4948 4949 402a7e 4947->4949 4948->4946 4948->4949 4949->4946 4950 4029e4 RegCloseKey 4949->4950 4950->4946 4951 402c8a 4952 402ca2 4951->4952 4953 402c8f 4951->4953 4955 40145c 18 API calls 4952->4955 4954 401446 18 API calls 4953->4954 4957 402c97 4954->4957 4956 402ca9 lstrlenW 4955->4956 4956->4957 4958 402ccb WriteFile 4957->4958 4959 401a13 4957->4959 4958->4959 4960 40400d 4961 40406a 4960->4961 4962 40401a lstrcpynA lstrlenA 4960->4962 4962->4961 4963 40404b 4962->4963 4963->4961 4964 404057 GlobalFree 4963->4964 4964->4961 4965 401d8e 4966 40145c 18 API calls 4965->4966 4967 401d95 ExpandEnvironmentStringsW 4966->4967 4968 401da8 4967->4968 4970 401db9 4967->4970 4969 401dad lstrcmpW 4968->4969 4968->4970 4969->4970 4971 401e0f 4972 401446 18 API calls 4971->4972 4973 401e17 4972->4973 4974 401446 18 API calls 4973->4974 4975 401e21 4974->4975 4976 4030e3 4975->4976 4978 405f51 wsprintfW 4975->4978 4978->4976 4979 402392 4980 40145c 18 API calls 4979->4980 4981 402399 4980->4981 4984 4071f8 4981->4984 4985 406ed2 25 API calls 4984->4985 4986 407218 4985->4986 4987 407222 lstrcpynW lstrcmpW 4986->4987 4988 4023a7 4986->4988 4989 407254 4987->4989 4990 40725a lstrcpynW 4987->4990 4989->4990 4990->4988 4061 402713 4076 406009 lstrcpynW 4061->4076 4063 40272c 4077 406009 lstrcpynW 4063->4077 4065 402738 4066 40145c 18 API calls 4065->4066 4068 402743 4065->4068 4066->4068 4067 402752 4070 40145c 18 API calls 4067->4070 4072 402761 4067->4072 4068->4067 4069 40145c 18 API calls 4068->4069 4069->4067 4070->4072 4071 40145c 18 API calls 4073 40276b 4071->4073 4072->4071 4074 4062a3 11 API calls 4073->4074 4075 40277f WritePrivateProfileStringW 4074->4075 4076->4063 4077->4065 4991 402797 4992 40145c 18 API calls 4991->4992 4993 4027ae 4992->4993 4994 40145c 18 API calls 4993->4994 4995 4027b7 4994->4995 4996 40145c 18 API calls 4995->4996 4997 4027c0 GetPrivateProfileStringW lstrcmpW 4996->4997 4998 402e18 4999 40145c 18 API calls 4998->4999 5000 402e1f FindFirstFileW 4999->5000 5001 402e32 5000->5001 5006 405f51 wsprintfW 5001->5006 5003 402e43 5007 406009 lstrcpynW 5003->5007 5005 402e50 5006->5003 5007->5005 5008 401e9a 5009 40145c 18 API calls 5008->5009 5010 401ea1 5009->5010 5011 401446 18 API calls 5010->5011 5012 401eab wsprintfW 5011->5012 4288 401a1f 4289 40145c 18 API calls 4288->4289 4290 401a26 4289->4290 4291 4062a3 11 API calls 4290->4291 4292 401a49 4291->4292 4293 401a64 4292->4293 4294 401a5c 4292->4294 4342 406009 lstrcpynW 4293->4342 4341 406009 lstrcpynW 4294->4341 4297 401a62 4301 406038 5 API calls 4297->4301 4298 401a6f 4299 406722 3 API calls 4298->4299 4300 401a75 lstrcatW 4299->4300 4300->4297 4303 401a81 4301->4303 4302 4062d5 2 API calls 4302->4303 4303->4302 4304 405e30 2 API calls 4303->4304 4306 401a98 CompareFileTime 4303->4306 4307 401ba9 4303->4307 4311 4062a3 11 API calls 4303->4311 4315 406009 lstrcpynW 4303->4315 4321 406805 18 API calls 4303->4321 4328 405ca0 MessageBoxIndirectW 4303->4328 4332 401b50 4303->4332 4339 401b5d 4303->4339 4340 405e50 GetFileAttributesW CreateFileW 4303->4340 4304->4303 4306->4303 4308 404f72 25 API calls 4307->4308 4310 401bb3 4308->4310 4309 404f72 25 API calls 4312 401b70 4309->4312 4313 40337f 37 API calls 4310->4313 4311->4303 4316 4062a3 11 API calls 4312->4316 4314 401bc6 4313->4314 4317 4062a3 11 API calls 4314->4317 4315->4303 4323 401b8b 4316->4323 4318 401bda 4317->4318 4319 401be9 SetFileTime 4318->4319 4320 401bf8 CloseHandle 4318->4320 4319->4320 4322 401c09 4320->4322 4320->4323 4321->4303 4324 401c21 4322->4324 4325 401c0e 4322->4325 4327 406805 18 API calls 4324->4327 4326 406805 18 API calls 4325->4326 4329 401c16 lstrcatW 4326->4329 4330 401c29 4327->4330 4328->4303 4329->4330 4331 4062a3 11 API calls 4330->4331 4333 401c34 4331->4333 4334 401b93 4332->4334 4335 401b53 4332->4335 4336 405ca0 MessageBoxIndirectW 4333->4336 4337 4062a3 11 API calls 4334->4337 4338 4062a3 11 API calls 4335->4338 4336->4323 4337->4323 4338->4339 4339->4309 4340->4303 4341->4297 4342->4298 5013 40209f GetDlgItem GetClientRect 5014 40145c 18 API calls 5013->5014 5015 4020cf LoadImageW SendMessageW 5014->5015 5016 4030e3 5015->5016 5017 4020ed DeleteObject 5015->5017 5017->5016 5018 402b9f 5019 401446 18 API calls 5018->5019 5024 402ba7 5019->5024 5020 402c4a 5021 402bdf ReadFile 5023 402c3d 5021->5023 5021->5024 5022 401446 18 API calls 5022->5023 5023->5020 5023->5022 5030 402d17 ReadFile 5023->5030 5024->5020 5024->5021 5024->5023 5025 402c06 MultiByteToWideChar 5024->5025 5026 402c3f 5024->5026 5028 402c4f 5024->5028 5025->5024 5025->5028 5031 405f51 wsprintfW 5026->5031 5028->5023 5029 402c6b SetFilePointer 5028->5029 5029->5023 5030->5023 5031->5020 5032 402b23 GlobalAlloc 5033 402b39 5032->5033 5034 402b4b 5032->5034 5035 401446 18 API calls 5033->5035 5036 40145c 18 API calls 5034->5036 5037 402b41 5035->5037 5038 402b52 WideCharToMultiByte lstrlenA 5036->5038 5039 402b93 5037->5039 5040 402b84 WriteFile 5037->5040 5038->5037 5040->5039 5041 402384 GlobalFree 5040->5041 5041->5039 5043 4044a5 5044 404512 5043->5044 5045 4044df 5043->5045 5047 40451f GetDlgItem GetAsyncKeyState 5044->5047 5054 4045b1 5044->5054 5111 405c84 GetDlgItemTextW 5045->5111 5050 40453e GetDlgItem 5047->5050 5057 40455c 5047->5057 5048 4044ea 5051 406038 5 API calls 5048->5051 5049 40469d 5109 404833 5049->5109 5113 405c84 GetDlgItemTextW 5049->5113 5052 403d3f 19 API calls 5050->5052 5053 4044f0 5051->5053 5056 404551 ShowWindow 5052->5056 5059 403e74 5 API calls 5053->5059 5054->5049 5060 406805 18 API calls 5054->5060 5054->5109 5056->5057 5062 404579 SetWindowTextW 5057->5062 5067 405d59 4 API calls 5057->5067 5058 403dca 8 API calls 5063 404847 5058->5063 5064 4044f5 GetDlgItem 5059->5064 5065 40462f SHBrowseForFolderW 5060->5065 5061 4046c9 5066 40677e 18 API calls 5061->5066 5068 403d3f 19 API calls 5062->5068 5069 404503 IsDlgButtonChecked 5064->5069 5064->5109 5065->5049 5070 404647 CoTaskMemFree 5065->5070 5071 4046cf 5066->5071 5072 40456f 5067->5072 5073 404597 5068->5073 5069->5044 5074 406722 3 API calls 5070->5074 5114 406009 lstrcpynW 5071->5114 5072->5062 5078 406722 3 API calls 5072->5078 5075 403d3f 19 API calls 5073->5075 5076 404654 5074->5076 5079 4045a2 5075->5079 5080 40468b SetDlgItemTextW 5076->5080 5085 406805 18 API calls 5076->5085 5078->5062 5112 403d98 SendMessageW 5079->5112 5080->5049 5081 4046e6 5083 4062fc 3 API calls 5081->5083 5092 4046ee 5083->5092 5084 4045aa 5088 4062fc 3 API calls 5084->5088 5086 404673 lstrcmpiW 5085->5086 5086->5080 5089 404684 lstrcatW 5086->5089 5087 404730 5115 406009 lstrcpynW 5087->5115 5088->5054 5089->5080 5091 404739 5093 405d59 4 API calls 5091->5093 5092->5087 5097 406751 2 API calls 5092->5097 5098 404785 5092->5098 5094 40473f GetDiskFreeSpaceW 5093->5094 5096 404763 MulDiv 5094->5096 5094->5098 5096->5098 5097->5092 5100 4047e2 5098->5100 5101 4043ad 21 API calls 5098->5101 5099 404805 5116 403d85 KiUserCallbackDispatcher 5099->5116 5100->5099 5102 40141d 80 API calls 5100->5102 5103 4047d3 5101->5103 5102->5099 5105 4047e4 SetDlgItemTextW 5103->5105 5106 4047d8 5103->5106 5105->5100 5107 4043ad 21 API calls 5106->5107 5107->5100 5108 404821 5108->5109 5117 403d61 5108->5117 5109->5058 5111->5048 5112->5084 5113->5061 5114->5081 5115->5091 5116->5108 5118 403d74 SendMessageW 5117->5118 5119 403d6f 5117->5119 5118->5109 5119->5118 5120 402da5 5121 4030e3 5120->5121 5122 402dac 5120->5122 5123 401446 18 API calls 5122->5123 5124 402db8 5123->5124 5125 402dbf SetFilePointer 5124->5125 5125->5121 5126 402dcf 5125->5126 5126->5121 5128 405f51 wsprintfW 5126->5128 5128->5121 5129 4030a9 SendMessageW 5130 4030c2 InvalidateRect 5129->5130 5131 4030e3 5129->5131 5130->5131 5132 401cb2 5133 40145c 18 API calls 5132->5133 5134 401c54 5133->5134 5135 4062a3 11 API calls 5134->5135 5138 401c64 5134->5138 5136 401c59 5135->5136 5137 406c9b 81 API calls 5136->5137 5137->5138 4088 4021b5 4089 40145c 18 API calls 4088->4089 4090 4021bb 4089->4090 4091 40145c 18 API calls 4090->4091 4092 4021c4 4091->4092 4093 40145c 18 API calls 4092->4093 4094 4021cd 4093->4094 4095 40145c 18 API calls 4094->4095 4096 4021d6 4095->4096 4097 404f72 25 API calls 4096->4097 4098 4021e2 ShellExecuteW 4097->4098 4099 40221b 4098->4099 4100 40220d 4098->4100 4102 4062a3 11 API calls 4099->4102 4101 4062a3 11 API calls 4100->4101 4101->4099 4103 402230 4102->4103 5146 402238 5147 40145c 18 API calls 5146->5147 5148 40223e 5147->5148 5149 4062a3 11 API calls 5148->5149 5150 40224b 5149->5150 5151 404f72 25 API calls 5150->5151 5152 402255 5151->5152 5153 405c3f 2 API calls 5152->5153 5154 40225b 5153->5154 5155 4062a3 11 API calls 5154->5155 5158 4022ac CloseHandle 5154->5158 5161 40226d 5155->5161 5157 4030e3 5158->5157 5159 402283 WaitForSingleObject 5160 402291 GetExitCodeProcess 5159->5160 5159->5161 5160->5158 5163 4022a3 5160->5163 5161->5158 5161->5159 5162 406332 2 API calls 5161->5162 5162->5159 5165 405f51 wsprintfW 5163->5165 5165->5158 5166 4040b8 5167 4040d3 5166->5167 5175 404201 5166->5175 5171 40410e 5167->5171 5197 403fca WideCharToMultiByte 5167->5197 5168 40426c 5169 404276 GetDlgItem 5168->5169 5170 40433e 5168->5170 5172 404290 5169->5172 5173 4042ff 5169->5173 5176 403dca 8 API calls 5170->5176 5178 403d3f 19 API calls 5171->5178 5172->5173 5181 4042b6 6 API calls 5172->5181 5173->5170 5182 404311 5173->5182 5175->5168 5175->5170 5177 40423b GetDlgItem SendMessageW 5175->5177 5180 404339 5176->5180 5202 403d85 KiUserCallbackDispatcher 5177->5202 5179 40414e 5178->5179 5184 403d3f 19 API calls 5179->5184 5181->5173 5185 404327 5182->5185 5186 404317 SendMessageW 5182->5186 5189 40415b CheckDlgButton 5184->5189 5185->5180 5190 40432d SendMessageW 5185->5190 5186->5185 5187 404267 5188 403d61 SendMessageW 5187->5188 5188->5168 5200 403d85 KiUserCallbackDispatcher 5189->5200 5190->5180 5192 404179 GetDlgItem 5201 403d98 SendMessageW 5192->5201 5194 40418f SendMessageW 5195 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5194->5195 5196 4041ac GetSysColor 5194->5196 5195->5180 5196->5195 5198 404007 5197->5198 5199 403fe9 GlobalAlloc WideCharToMultiByte 5197->5199 5198->5171 5199->5198 5200->5192 5201->5194 5202->5187 4197 401eb9 4198 401f24 4197->4198 4199 401ec6 4197->4199 4200 401f53 GlobalAlloc 4198->4200 4201 401f28 4198->4201 4202 401ed5 4199->4202 4209 401ef7 4199->4209 4203 406805 18 API calls 4200->4203 4208 4062a3 11 API calls 4201->4208 4213 401f36 4201->4213 4204 4062a3 11 API calls 4202->4204 4207 401f46 4203->4207 4205 401ee2 4204->4205 4210 402708 4205->4210 4215 406805 18 API calls 4205->4215 4207->4210 4211 402387 GlobalFree 4207->4211 4208->4213 4219 406009 lstrcpynW 4209->4219 4211->4210 4221 406009 lstrcpynW 4213->4221 4214 401f06 4220 406009 lstrcpynW 4214->4220 4215->4205 4217 401f15 4222 406009 lstrcpynW 4217->4222 4219->4214 4220->4217 4221->4207 4222->4210 5203 4074bb 5205 407344 5203->5205 5204 407c6d 5205->5204 5206 4073c2 GlobalFree 5205->5206 5207 4073cb GlobalAlloc 5205->5207 5208 407443 GlobalAlloc 5205->5208 5209 40743a GlobalFree 5205->5209 5206->5207 5207->5204 5207->5205 5208->5204 5208->5205 5209->5208

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 00405196
                                                                                                                                                                              • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                                                                                                                              • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                                                                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                                                                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                                                                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                                                                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                                                                                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                                                                                                                              • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                                                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                                                                                                                              • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                                                                                                                                • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                                                                                                                                • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                                                                                                                              • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                                                                                                                                              • ShowWindow.USER32(00000000), ref: 004052E7
                                                                                                                                                                              • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                                                                                                                              • ShowWindow.USER32(00000008), ref: 00405333
                                                                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                                                                                                                              • CreatePopupMenu.USER32 ref: 00405376
                                                                                                                                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                                                                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                                                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                                                                                                                              • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                                                                                                                              • EmptyClipboard.USER32 ref: 00405411
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                                                                                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                                                                                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                                                                                                                              • CloseClipboard.USER32 ref: 0040546E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                                                                                                              • String ID: @rD$New install of "%s" to "%s"${
                                                                                                                                                                              • API String ID: 2110491804-2409696222
                                                                                                                                                                              • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                                                                                                                              • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                                                                                                                              • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                                                                                                                              • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                                                                                                                              Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                                                                                                                                              APIs
                                                                                                                                                                              • #17.COMCTL32 ref: 004038A2
                                                                                                                                                                              • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                                                                                                                              • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                                                                                                                                • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                                                                                                                • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                                                                                                                • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                                                                                                              • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                                                                                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                                                                                              • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                                                                                                                              • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                                                                                                                              • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                                                                                                                              • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                                                                                                                              • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                                                                                                                              • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                                                                                                                              • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00403AF1
                                                                                                                                                                              • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                                                                                                                              • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                                                                                                                              • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                                                                                                                              • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                                                                                                                              • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                                                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                                                                                                              • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                                                                                                                              • API String ID: 2435955865-239407132
                                                                                                                                                                              • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                                                                                                              • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                                                                                                                              • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                                                                                                              • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                                                                                                                              Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 824 4074f1-4074f4 821->824 825 4074f6-4074fa 821->825 823 407aeb-407aff 822->823 829 407b01-407b17 823->829 830 407b19-407b2c 823->830 826 407506-407509 824->826 827 407502 825->827 828 4074fc-407500 825->828 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 836 4076f6-407713 831->836 837 407516 832->837 838 407519-407525 832->838 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 840 407b46-407b5e 835->840 841 407ccd-407cd4 835->841 843 407715-407729 836->843 844 40772b-40773e 836->844 837->838 839 407589-4075b6 838->839 847 4075d2-4075ec 839->847 848 4075b8-4075d0 839->848 840->834 845 407cdd-407cea 841->845 849 407741-40774b 843->849 844->849 850 407cef-407cf6 845->850 853 4075f0-4075fa 847->853 848->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->836 861 407692-40769c 855->861 856->845 866 407361-40736e 856->866 857->823 871 407c76-407c7d 858->871 872 407477-40748b 858->872 877 407409-407420 859->877 878 407c6d-407c74 859->878 867 4076a2-4076c4 861->867 868 407c9a-407ca1 861->868 880 407556-40756e 862->880 881 407c7f-407c86 862->881 869 40762a-407630 863->869 870 40757d-407583 863->870 864->823 873 407c91-407c98 865->873 874 4076d3-4076eb 865->874 866->852 882 407374-4073ba 866->882 867->864 868->845 883 40768e 869->883 884 407632-40764f 869->884 870->839 870->883 871->845 879 40748e-407496 872->879 873->845 874->855 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 887 4073e2-4073e4 882->887 888 4073bc-4073c0 882->888 883->861 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 893 407431-407438 886->893 894 407459-40746b 886->894 897 4073f5-4073fd 887->897 898 4073e6-4073f3 887->898 895 4073c2-4073c5 GlobalFree 888->895 896 4073cb-4073d9 GlobalAlloc 888->896 889->857 892 40767d-407687 890->892 891->892 892->869 899 407689 892->899 900 407443-407453 GlobalAlloc 893->900 901 40743a-40743d GlobalFree 893->901 894->879 895->896 896->852 902 4073df 896->902 897->885 898->897 898->898 904 407c88-407c8f 899->904 905 40760f-407627 899->905 900->852 900->894 901->900 902->887 904->845 905->869
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                                                                                                              • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                                                                                                                              • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                                                                                                              • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                                                                                                                              Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                                                                                                              • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 310444273-0
                                                                                                                                                                              • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                                                                                                              • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                                                                                                                              • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                                                                                                              • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                                                                                                                              Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2295610775-0
                                                                                                                                                                              • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                                                                                                              • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                                                                                                                              • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                                                                                                              • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                                                                                                                              Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                                                                                                                              • ShowWindow.USER32(?), ref: 004054D2
                                                                                                                                                                              • DestroyWindow.USER32 ref: 004054E6
                                                                                                                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                                                                                                                              • GetDlgItem.USER32(?,?), ref: 00405523
                                                                                                                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                                                                                                                              • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                                                                                                                              • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                                                                                                                              • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                                                                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                                                                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                                                                                                                              • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                                                                                                                              • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                                                                                                                                              • EnableWindow.USER32(?,?), ref: 00405757
                                                                                                                                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                                                                                                                              • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                                                                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                                                                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                                                                                                                              • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                                                                                                                              • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                                                                                                                              • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                              • String ID: @rD
                                                                                                                                                                              • API String ID: 3282139019-3814967855
                                                                                                                                                                              • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                                                                                                              • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                                                                                                                              • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                                                                                                              • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                                                                                                                              Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                                                                                                                                              APIs
                                                                                                                                                                              • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                                                                                                              • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                                                                                                              • ShowWindow.USER32(?), ref: 00401753
                                                                                                                                                                              • ShowWindow.USER32(?), ref: 00401767
                                                                                                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                                                                                                              • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                                                                                                              • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                                                                                                              • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                                                                                                              • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                                                                                                              • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                                                                                                              • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                                                                                                              Strings
                                                                                                                                                                              • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                                                                                                              • Sleep(%d), xrefs: 0040169D
                                                                                                                                                                              • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                                                                                                              • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                                                                                                              • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                                                                                                              • Rename on reboot: %s, xrefs: 00401943
                                                                                                                                                                              • Rename: %s, xrefs: 004018F8
                                                                                                                                                                              • Jump: %d, xrefs: 00401602
                                                                                                                                                                              • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                                                                                                              • BringToFront, xrefs: 004016BD
                                                                                                                                                                              • Aborting: "%s", xrefs: 0040161D
                                                                                                                                                                              • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                                                                                                              • Rename failed: %s, xrefs: 0040194B
                                                                                                                                                                              • detailprint: %s, xrefs: 00401679
                                                                                                                                                                              • Call: %d, xrefs: 0040165A
                                                                                                                                                                              • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                                                                                                              • SetFileAttributes failed., xrefs: 004017A1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                                                                                                              • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                                                                                                              • API String ID: 2872004960-3619442763
                                                                                                                                                                              • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                                                                                                                              • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                                                                                                                              • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                                                                                                                              • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                                                                                                                              Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                                                                                                                • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                                                                                                                • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                                                                                                              • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                                                                                                                                              • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                                                                                                                              • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                                                                                                                              • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                                                                                                                                • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                                                                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                                                                                                                              • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                                                                                                                              • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                                                                                                                                • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                                                                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                                                                                                                              • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                                                                                                                                              • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                                                                                                                              • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                                                                                                                              • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                                                                                                                              • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                                                                                                                              • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                              • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                                                                                              • API String ID: 608394941-1650083594
                                                                                                                                                                              • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                                                                                                              • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                                                                                                                              • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                                                                                                              • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                                                                                                                              Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                              • lstrcatW.KERNEL32(00000000,00000000,open,004CB0B0,00000000,00000000), ref: 00401A76
                                                                                                                                                                              • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                                                                                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                                                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                                                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                                                                                                • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                                                                                                • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                                                                                                              • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
                                                                                                                                                                              • API String ID: 4286501637-2478300759
                                                                                                                                                                              • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                                                                                                                              • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                                                                                                                              • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                                                                                                                              • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                                                                                                                              Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00403598
                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                                                                                                                                • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                                                                                                                • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                                                                                                                              Strings
                                                                                                                                                                              • Null, xrefs: 0040367E
                                                                                                                                                                              • Error launching installer, xrefs: 004035D7
                                                                                                                                                                              • Inst, xrefs: 0040366C
                                                                                                                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                                                                                                                              • soft, xrefs: 00403675
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                              • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                              • API String ID: 4283519449-527102705
                                                                                                                                                                              • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                                                                                                              • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                                                                                                                              • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                                                                                                              • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                                                                                                                              Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 004033E7
                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00403464
                                                                                                                                                                              • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                                                                                                                              • wsprintfW.USER32 ref: 004034A4
                                                                                                                                                                              • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                                                                                                                              • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CountFileTickWrite$wsprintf
                                                                                                                                                                              • String ID: ... %d%%$P1B$X1C$X1C
                                                                                                                                                                              • API String ID: 651206458-1535804072
                                                                                                                                                                              • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                                                                                                                              • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                                                                                                                              • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                                                                                                                              • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                                                                                                                              Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                                                                                                                                              APIs
                                                                                                                                                                              • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                                                                                              • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                                                                                              • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                                                                                              • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                                                                                                • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2740478559-0
                                                                                                                                                                              • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                                                                                                              • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                                                                                                                              • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                                                                                                              • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                                                                                                                              Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 750 4030e3-4030f2 734->750 751 402387-40238d GlobalFree 734->751 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 747->750 763 402708-40270e 748->763 751->750 763->750
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                                                                                              • GlobalFree.KERNELBASE(007FA840), ref: 00402387
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FreeGloballstrcpyn
                                                                                                                                                                              • String ID: Exch: stack < %d elements$Pop: stack empty$open
                                                                                                                                                                              • API String ID: 1459762280-1711415406
                                                                                                                                                                              • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                                                                                                                              • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                                                                                                                              • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                                                                                                                              • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                                                                                                                              Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 777 402369-402381 call 405f51 * 2 773->777 774->769 777->774
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                                                                                                              • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                                                                                                              • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                                                                                                                                • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                                                                                                              • GlobalFree.KERNELBASE(007FA840), ref: 00402387
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3376005127-0
                                                                                                                                                                              • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                                                                                                                              • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                                                                                                                              • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                                                                                                                              • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                                                                                                                              Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                                                                                                                                                              APIs
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                                                                                                              • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2568930968-0
                                                                                                                                                                              • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                                                                                                                              • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                                                                                                                              • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                                                                                                                              • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                                                                                                                              Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                                                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: PrivateProfileStringWritelstrcpyn
                                                                                                                                                                              • String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
                                                                                                                                                                              • API String ID: 247603264-1827671502
                                                                                                                                                                              • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                                                                                                              • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                                                                                                                              • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                                                                                                              • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                                                                                                                              Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                                                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                                                                                                • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                                                                                                • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                                                                                              • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                              Strings
                                                                                                                                                                              • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                                                                                                              • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                                                                                                              • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                                                                                                              • API String ID: 3156913733-2180253247
                                                                                                                                                                              • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                                                                                                                              • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                                                                                                                              • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                                                                                                                              • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                                                                                                                              Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00405E9D
                                                                                                                                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CountFileNameTempTick
                                                                                                                                                                              • String ID: nsa
                                                                                                                                                                              • API String ID: 1716503409-2209301699
                                                                                                                                                                              • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                                                                                                              • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                                                                                                                              • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                                                                                                              • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                                                                                                                              Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                                                                                                              • String ID: HideWindow
                                                                                                                                                                              • API String ID: 1249568736-780306582
                                                                                                                                                                              • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                                                                                                                              • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                                                                                                                              • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                                                                                                                              • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                                                                                                                              Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                                                                                                              • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                                                                                                                              • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                                                                                                              • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                                                                                                                              Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                                                                                                              • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                                                                                                                              • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                                                                                                              • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                                                                                                                              Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                                                                                                              • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                                                                                                                              • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                                                                                                              • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                                                                                                                              Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                                                                                                              • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                                                                                                                              • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                                                                                                              • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                                                                                                                              Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                                                                                                              • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                                                                                                                              • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                                                                                                              • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                                                                                                                              Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                                                                                                              • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                                                                                                                              • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                                                                                                              • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                                                                                                                              Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                                                                                                                              • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                                                                                                                              • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                                                                                                                              • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Global$AllocFree
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3394109436-0
                                                                                                                                                                              • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                                                                                                              • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                                                                                                                              • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                                                                                                              • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                                                                                                                              Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                                                                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                                                              • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                                                                                                              • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                                                                                                                              • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                                                                                                              • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                                                                                                                              Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                                                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$AttributesCreate
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 415043291-0
                                                                                                                                                                              • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                                                                                                              • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                                                                                                                              • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                                                                                                              • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                                                                                                                              Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AttributesFile
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                                                              • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                                                                                                              • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                                                                                                                              • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                                                                                                              • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                                                                                                                              Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileRead
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2738559852-0
                                                                                                                                                                              • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                                                                                                              • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                                                                                                                              • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                                                                                                              • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                                                                                                                              Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                                                                                                                • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                                                                                                                • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                                                                                                                • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                                                                                                              • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Char$Next$CreateDirectoryPrev
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4115351271-0
                                                                                                                                                                              • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                                                                                                              • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                                                                                                                              • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                                                                                                              • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                                                                                                                              Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                                                              • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                                                                                                                              • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                                                                                                                                              • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                                                                                                                              • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                                                                                                                                              Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FilePointer
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 973152223-0
                                                                                                                                                                              • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                                                                                                              • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                                                                                                                              • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                                                                                                              • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                                                                                                                                              Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                                                              • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                                                                                                                              • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                                                                                                                                              • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                                                                                                                              • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                                                                                                                                              Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CallbackDispatcherUser
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2492992576-0
                                                                                                                                                                              • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                                                                                                                              • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                                                                                                                                              • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                                                                                                                              • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                              Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                                                                                                                              • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                                                                                                                              • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                                                                                                                              • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                                                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                                                                                                                              • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                                                                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                                                                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                                                                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 00404A79
                                                                                                                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                                                                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                                                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                                                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                                                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                                                                                                                              • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                                                                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                                                                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                                                                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                                                                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                                                                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                                                                                                                              • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                                                                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                                                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                                                                                                                              • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                                                                                                                              • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                              • String ID: $ @$M$N
                                                                                                                                                                              • API String ID: 1638840714-3479655940
                                                                                                                                                                              • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                                                                                                              • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                                                                                                                              • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                                                                                                              • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                                                                                                                              Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                                                                                                                              • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                                                                                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                                                                                                                              • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                                                                                                                              • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                                                                                                                              • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                                                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                                                                                                                              • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                                                                                                                              • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                                                                                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                                                                                                                                • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                                                                                                                                • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                                                                                                                • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                                                                                                                • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                                                                                                                • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                                                                                                                • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                                                                                                                                              • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                                                                                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                                                                                                                                • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                                                                                              • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                                                                                                              • String ID: 82D$@%F$@rD$A
                                                                                                                                                                              • API String ID: 3347642858-1086125096
                                                                                                                                                                              • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                                                                                                              • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                                                                                                                              • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                                                                                                              • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                                                                                                                              Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                                                                                                              • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                                                                                                                              • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                                                                                                                              • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                                                                                                                              • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                                                                                                              • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                                                                                                              • API String ID: 1916479912-1189179171
                                                                                                                                                                              • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                                                                                                              • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                                                                                                                              • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                                                                                                              • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                                                                                                                              Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                                                                                                                              • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                                                                                                                                              • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                                                                                                                              • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                                                                                                                              • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 00406E33
                                                                                                                                                                              Strings
                                                                                                                                                                              • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                                                                                                                              • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                                                                                                                              • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                                                                                                                              • \*.*, xrefs: 00406D03
                                                                                                                                                                              • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                                                                                                                              • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                                                                                                                              • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                                                                                                                              • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                              • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                                                                                                                              • API String ID: 2035342205-3294556389
                                                                                                                                                                              • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                                                                                                                              • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                                                                                                                              • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                                                                                                                              • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                                                                                                                              Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                                                                                              • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                                                                                                                                • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                                                                                              • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                                                                                                                              • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                                                                                                                              • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                                                                                                              • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                              • API String ID: 3581403547-784952888
                                                                                                                                                                              • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                                                                                                              • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                                                                                                                              • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                                                                                                              • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                                                                                                                              Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                                                                                                                              Strings
                                                                                                                                                                              • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateInstance
                                                                                                                                                                              • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                                                                                                              • API String ID: 542301482-1377821865
                                                                                                                                                                              • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                                                                                                              • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                                                                                                                              • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                                                                                                              • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                                                                                                                              Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileFindFirst
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1974802433-0
                                                                                                                                                                              • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                                                                                                                              • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                                                                                                                              • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                                                                                                                              • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                                                                                                                              Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                                                                                                                              • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                                                                                                                                • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                                                                                                                              • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                                                                                                              • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                                                                                                              • API String ID: 20674999-2124804629
                                                                                                                                                                              • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                                                                                                              • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                                                                                                                              • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                                                                                                              • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                                                                                                                              Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                                                                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                                                                                                                              • GetSysColor.USER32(?), ref: 004041AF
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                                                                                                                                • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                                                                                                                                • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                                                                                                                                • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                                                                                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                                                                                                                              • SendMessageW.USER32(00000000), ref: 00404251
                                                                                                                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                                                                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                                                                                                                              • SetCursor.USER32(00000000), ref: 004042D2
                                                                                                                                                                              • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                                                                                                                              • SetCursor.USER32(00000000), ref: 004042F6
                                                                                                                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                                                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                                                                                                              • String ID: @%F$N$open
                                                                                                                                                                              • API String ID: 3928313111-3849437375
                                                                                                                                                                              • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                                                                                                              • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                                                                                                                              • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                                                                                                              • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                                                                                                                              Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                                                                                                                              • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                                                                                                                                • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                                                                                                                • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                                                                                                              • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                                                                                                                              • wsprintfA.USER32 ref: 00406B4D
                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                                                                                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                                                                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                                                                                                                                • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                                                                                                                • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                                                                                                              • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                                                                                                              • String ID: F$%s=%s$NUL$[Rename]
                                                                                                                                                                              • API String ID: 565278875-1653569448
                                                                                                                                                                              • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                                                                                                              • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                                                                                                                              • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                                                                                                              • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                                                                                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                                                                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 004010F6
                                                                                                                                                                              • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                                                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                                                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                                                                                                              • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 0040116E
                                                                                                                                                                              • EndPaint.USER32(?,?), ref: 00401177
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                              • String ID: F
                                                                                                                                                                              • API String ID: 941294808-1304234792
                                                                                                                                                                              • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                                                                                                              • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                                                                                                                              • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                                                                                                              • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                                                                                                                              Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                                                                                                              • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                                                                                                              • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                              Strings
                                                                                                                                                                              • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                                                                                                              • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                                                                                                              • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                                                                                                              • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                                                                                                              • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                                                                                                              • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                                                                                                              • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                                                                                                              • API String ID: 1641139501-220328614
                                                                                                                                                                              • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                                                                                                                              • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                                                                                                                              • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                                                                                                                              • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                                                                                                                              Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                                                                                                              • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                                                                                                              • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                                                                                                              • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                                                                                                              Strings
                                                                                                                                                                              • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                                                                                              • String ID: created uninstaller: %d, "%s"
                                                                                                                                                                              • API String ID: 3294113728-3145124454
                                                                                                                                                                              • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                                                                                                                              • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                                                                                                                              • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                                                                                                                              • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                                                                                                                              Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                                                                                                              • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                                                                                                                              • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                                                                                                                              • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                                                                                                                                              • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                                                                                                                              • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                                                                                                              • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                                                                                              • API String ID: 3734993849-2769509956
                                                                                                                                                                              • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                                                                                                              • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                                                                                                                              • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                                                                                                              • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                                                                                                                              Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                                                                                                                              • GetSysColor.USER32(00000000), ref: 00403E00
                                                                                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                                                                                                                              • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                                                                                                                              • GetSysColor.USER32(?), ref: 00403E2B
                                                                                                                                                                              • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 00403E55
                                                                                                                                                                              • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2320649405-0
                                                                                                                                                                              • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                                                                                                              • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                                                                                                                              • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                                                                                                              • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                                                                                                                              Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                                                                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                                                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                                                                                                • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                                                                                                • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                                                                                                              Strings
                                                                                                                                                                              • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                                                                                                              • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                                                                                                              • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                                                                                                              • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                                                                                                                              • API String ID: 1033533793-945480824
                                                                                                                                                                              • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                                                                                                                              • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                                                                                                                              • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                                                                                                                              • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                                                                                                                              Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                                                                                                • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                                                                                                • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                                                                                                • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                                                                                                • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                                                                                                • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                                                                                                                • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                                                                                                              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                                                                                                              Strings
                                                                                                                                                                              • Exec: success ("%s"), xrefs: 00402263
                                                                                                                                                                              • Exec: command="%s", xrefs: 00402241
                                                                                                                                                                              • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                                                                                                              • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                                                                                                              • API String ID: 2014279497-3433828417
                                                                                                                                                                              • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                                                                                                                              • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                                                                                                                              • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                                                                                                                              • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                                                                                                                              Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                                                                                                                              • GetMessagePos.USER32 ref: 00404871
                                                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 00404889
                                                                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                                                                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Message$Send$ClientScreen
                                                                                                                                                                              • String ID: f
                                                                                                                                                                              • API String ID: 41195575-1993550816
                                                                                                                                                                              • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                                                                                                              • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                                                                                                                              • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                                                                                                              • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                                                                                                                              Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                                                                                                              • MulDiv.KERNEL32(00023400,00000064,?), ref: 00403295
                                                                                                                                                                              • wsprintfW.USER32 ref: 004032A5
                                                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                                                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                                                                                                              Strings
                                                                                                                                                                              • verifying installer: %d%%, xrefs: 0040329F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                              • String ID: verifying installer: %d%%
                                                                                                                                                                              • API String ID: 1451636040-82062127
                                                                                                                                                                              • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                                                                                                              • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                                                                                                                              • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                                                                                                              • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                                                                                                                              Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                                                                                                                              • wsprintfW.USER32 ref: 00404457
                                                                                                                                                                              • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                              • String ID: %u.%u%s%s$@rD
                                                                                                                                                                              • API String ID: 3540041739-1813061909
                                                                                                                                                                              • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                                                                                                              • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                                                                                                                              • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                                                                                                              • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                                                                                                                              Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                                                                                                              • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                                                                                                              • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                                                                                                              • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Char$Next$Prev
                                                                                                                                                                              • String ID: *?|<>/":
                                                                                                                                                                              • API String ID: 589700163-165019052
                                                                                                                                                                              • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                                                                                                              • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                                                                                                                              • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                                                                                                              • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                                                                                                                              Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                                                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Close$DeleteEnumOpen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1912718029-0
                                                                                                                                                                              • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                                                                                                              • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                                                                                                                              • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                                                                                                              • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                                                                                                                              Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDlgItem.USER32(?), ref: 004020A3
                                                                                                                                                                              • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                                                                                                              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1849352358-0
                                                                                                                                                                              • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                                                                                                                              • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                                                                                                                              • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                                                                                                                              • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                                                                                                                              Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Timeout
                                                                                                                                                                              • String ID: !
                                                                                                                                                                              • API String ID: 1777923405-2657877971
                                                                                                                                                                              • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                                                                                                              • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                                                                                                                              • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                                                                                                              • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                                                                                                                              Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                                                                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                              Strings
                                                                                                                                                                              • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                                                                                                              • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                                                                                                              • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                                                                                                              • API String ID: 1697273262-1764544995
                                                                                                                                                                              • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                                                                                                                              • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                                                                                                                              • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                                                                                                                              • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                                                                                                                              Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • IsWindowVisible.USER32(?), ref: 00404902
                                                                                                                                                                              • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                                                                                                                                • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                              • String ID: $@rD
                                                                                                                                                                              • API String ID: 3748168415-881980237
                                                                                                                                                                              • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                                                                                                              • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                                                                                                                              • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                                                                                                              • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                                                                                                                              Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                                • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                                                                                                                • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                                                                                                              • lstrlenW.KERNEL32 ref: 004026B4
                                                                                                                                                                              • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                                                                                                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                                                                                                              • String ID: CopyFiles "%s"->"%s"
                                                                                                                                                                              • API String ID: 2577523808-3778932970
                                                                                                                                                                              • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                                                                                                                              • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                                                                                                                              • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                                                                                                                              • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                                                                                                                              Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcatwsprintf
                                                                                                                                                                              • String ID: %02x%c$...
                                                                                                                                                                              • API String ID: 3065427908-1057055748
                                                                                                                                                                              • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                                                                                                              • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                                                                                                                              • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                                                                                                              • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                                                                                                                              Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • OleInitialize.OLE32(00000000), ref: 00405057
                                                                                                                                                                                • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                                                                                                              • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                                                                                                                                • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                                • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                                                                                                              • String ID: Section: "%s"$Skipping section: "%s"
                                                                                                                                                                              • API String ID: 2266616436-4211696005
                                                                                                                                                                              • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                                                                                                              • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                                                                                                                              • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                                                                                                              • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                                                                                                                              Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDC.USER32(?), ref: 00402100
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                                                                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                                                                                                                • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                                                                                              • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                                                                                                                                • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1599320355-0
                                                                                                                                                                              • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                                                                                                              • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                                                                                                                              • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                                                                                                              • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                                                                                                                              Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                                                                                                              • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                                                                                                                              • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                                                                                                                              • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                                                                                                              • String ID: Version
                                                                                                                                                                              • API String ID: 512980652-315105994
                                                                                                                                                                              • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                                                                                                              • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                                                                                                                              • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                                                                                                              • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                                                                                                                              Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00403303
                                                                                                                                                                              • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                                                                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2102729457-0
                                                                                                                                                                              • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                                                                                                              • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                                                                                                                              • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                                                                                                              • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                                                                                                                              Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                                                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2883127279-0
                                                                                                                                                                              • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                                                                                                              • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                                                                                                                              • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                                                                                                              • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                                                                                                                              Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                                                                                                              • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: PrivateProfileStringlstrcmp
                                                                                                                                                                              • String ID: !N~
                                                                                                                                                                              • API String ID: 623250636-529124213
                                                                                                                                                                              • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                                                                                                              • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                                                                                                                              • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                                                                                                              • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                                                                                                                              Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                                                                                                              Strings
                                                                                                                                                                              • Error launching installer, xrefs: 00405C48
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseCreateHandleProcess
                                                                                                                                                                              • String ID: Error launching installer
                                                                                                                                                                              • API String ID: 3712363035-66219284
                                                                                                                                                                              • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                                                                                                              • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                                                                                                                              • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                                                                                                              • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                                                                                                                              Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                                                                                              • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                                                                                                • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseHandlelstrlenwvsprintf
                                                                                                                                                                              • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                                                                                              • API String ID: 3509786178-2769509956
                                                                                                                                                                              • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                                                                                                              • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                                                                                                                              • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                                                                                                              • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                                                                                                                              Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                                                                                                              • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                                                                                                                              • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                                                                                                                              • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1786996002.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1786976555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787017126.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787037791.00000000004B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1787138270.0000000000505000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_GOmRjFSKNz.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 190613189-0
                                                                                                                                                                              • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                                                                                                              • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                                                                                                                              • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                                                                                                              • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:4.3%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                              Signature Coverage:2.1%
                                                                                                                                                                              Total number of Nodes:2000
                                                                                                                                                                              Total number of Limit Nodes:70
                                                                                                                                                                              execution_graph 97986 741055 97991 742a19 97986->97991 98001 751207 97991->98001 97996 742b24 97997 74105a 97996->97997 98009 7413f8 59 API calls 2 library calls 97996->98009 97998 762f70 97997->97998 98061 762e74 97998->98061 98000 741064 98010 760fe6 98001->98010 98003 751228 98004 760fe6 Mailbox 59 API calls 98003->98004 98005 742a87 98004->98005 98006 741256 98005->98006 98054 741284 98006->98054 98009->97996 98012 760fee 98010->98012 98013 761008 98012->98013 98015 76100c std::exception::exception 98012->98015 98020 76593c 98012->98020 98037 7635d1 DecodePointer 98012->98037 98013->98003 98038 7687cb RaiseException 98015->98038 98017 761036 98039 768701 58 API calls _free 98017->98039 98019 761048 98019->98003 98021 7659b7 98020->98021 98024 765948 98020->98024 98048 7635d1 DecodePointer 98021->98048 98023 7659bd 98049 768d58 58 API calls __getptd_noexit 98023->98049 98027 76597b RtlAllocateHeap 98024->98027 98029 765953 98024->98029 98031 7659a3 98024->98031 98035 7659a1 98024->98035 98045 7635d1 DecodePointer 98024->98045 98027->98024 98028 7659af 98027->98028 98028->98012 98029->98024 98040 76a39b 58 API calls 2 library calls 98029->98040 98041 76a3f8 58 API calls 8 library calls 98029->98041 98042 7632cf 98029->98042 98046 768d58 58 API calls __getptd_noexit 98031->98046 98047 768d58 58 API calls __getptd_noexit 98035->98047 98037->98012 98038->98017 98039->98019 98040->98029 98041->98029 98050 76329b GetModuleHandleExW 98042->98050 98045->98024 98046->98035 98047->98028 98048->98023 98049->98028 98051 7632b4 GetProcAddress 98050->98051 98052 7632cb ExitProcess 98050->98052 98051->98052 98053 7632c6 98051->98053 98053->98052 98055 741291 98054->98055 98056 741275 98054->98056 98055->98056 98057 741298 RegOpenKeyExW 98055->98057 98056->97996 98057->98056 98058 7412b2 RegQueryValueExW 98057->98058 98059 7412e8 RegCloseKey 98058->98059 98060 7412d3 98058->98060 98059->98056 98060->98059 98062 762e80 __setmode 98061->98062 98069 763447 98062->98069 98068 762ea7 __setmode 98068->98000 98086 769e3b 98069->98086 98071 762e89 98072 762eb8 DecodePointer DecodePointer 98071->98072 98073 762e95 98072->98073 98074 762ee5 98072->98074 98083 762eb2 98073->98083 98074->98073 98131 7689d4 59 API calls __swprintf 98074->98131 98076 762f48 EncodePointer EncodePointer 98076->98073 98077 762ef7 98077->98076 98078 762f1c 98077->98078 98132 768a94 61 API calls __realloc_crt 98077->98132 98078->98073 98081 762f36 EncodePointer 98078->98081 98133 768a94 61 API calls __realloc_crt 98078->98133 98081->98076 98082 762f30 98082->98073 98082->98081 98134 763450 98083->98134 98087 769e5f EnterCriticalSection 98086->98087 98088 769e4c 98086->98088 98087->98071 98093 769ec3 98088->98093 98090 769e52 98090->98087 98117 7632e5 58 API calls 3 library calls 98090->98117 98094 769ecf __setmode 98093->98094 98095 769ed8 98094->98095 98097 769ef0 98094->98097 98118 76a39b 58 API calls 2 library calls 98095->98118 98105 769f11 __setmode 98097->98105 98120 768a4d 58 API calls 2 library calls 98097->98120 98098 769edd 98119 76a3f8 58 API calls 8 library calls 98098->98119 98101 769f05 98103 769f0c 98101->98103 98104 769f1b 98101->98104 98102 769ee4 98107 7632cf __mtinitlocknum 3 API calls 98102->98107 98121 768d58 58 API calls __getptd_noexit 98103->98121 98106 769e3b __lock 58 API calls 98104->98106 98105->98090 98109 769f22 98106->98109 98110 769eee 98107->98110 98111 769f47 98109->98111 98112 769f2f 98109->98112 98110->98097 98123 762f85 98111->98123 98122 76a05b InitializeCriticalSectionAndSpinCount 98112->98122 98115 769f3b 98129 769f63 LeaveCriticalSection _doexit 98115->98129 98118->98098 98119->98102 98120->98101 98121->98105 98122->98115 98124 762f8e RtlFreeHeap 98123->98124 98125 762fb7 _free 98123->98125 98124->98125 98126 762fa3 98124->98126 98125->98115 98130 768d58 58 API calls __getptd_noexit 98126->98130 98128 762fa9 GetLastError 98128->98125 98129->98105 98130->98128 98131->98077 98132->98078 98133->98082 98137 769fa5 LeaveCriticalSection 98134->98137 98136 762eb7 98136->98068 98137->98136 98138 745ff5 98161 745ede Mailbox _memmove 98138->98161 98139 760fe6 59 API calls Mailbox 98139->98161 98140 746a9b 98372 74a9de 290 API calls 98140->98372 98143 77eff9 98144 745190 Mailbox 59 API calls 98143->98144 98148 77efeb 98144->98148 98145 77f007 98392 7aa48d 89 API calls 4 library calls 98145->98392 98196 745569 Mailbox 98148->98196 98391 796cf1 59 API calls Mailbox 98148->98391 98150 7460e5 98151 77e137 98150->98151 98154 7463bd Mailbox 98150->98154 98164 746abc 98150->98164 98181 746152 Mailbox 98150->98181 98151->98154 98373 797aad 59 API calls 98151->98373 98158 760fe6 Mailbox 59 API calls 98154->98158 98168 746426 98154->98168 98160 7463d1 98158->98160 98162 7463de 98160->98162 98160->98164 98161->98139 98161->98140 98161->98143 98161->98145 98161->98150 98161->98164 98161->98196 98224 7453b0 98161->98224 98322 7bc355 98161->98322 98368 74523c 98161->98368 98376 751c9c 98161->98376 98380 7a7f11 59 API calls Mailbox 98161->98380 98381 751a36 98161->98381 98385 796cf1 59 API calls Mailbox 98161->98385 98165 77e172 98162->98165 98166 746413 98162->98166 98390 7aa48d 89 API calls 4 library calls 98164->98390 98374 7bc87c 85 API calls 2 library calls 98165->98374 98166->98168 98195 745447 Mailbox 98166->98195 98375 7bc9c9 95 API calls Mailbox 98168->98375 98171 77e19d 98171->98171 98172 760fe6 59 API calls Mailbox 98172->98195 98174 77f165 98394 7aa48d 89 API calls 4 library calls 98174->98394 98175 77e691 98387 7aa48d 89 API calls 4 library calls 98175->98387 98178 7469fa 98185 751c9c 59 API calls 98178->98185 98180 77e6a0 98181->98148 98181->98164 98186 77e2e9 VariantClear 98181->98186 98181->98196 98252 74cfd7 98181->98252 98271 7be60c 98181->98271 98274 7b3105 98181->98274 98279 7bebba 98181->98279 98285 7b65ee 98181->98285 98292 7b5e1d 98181->98292 98317 7bf1b2 98181->98317 98363 745190 98181->98363 98386 797aad 59 API calls 98181->98386 98182 77ea9a 98187 751c9c 59 API calls 98182->98187 98184 7469ff 98184->98174 98184->98175 98185->98196 98186->98181 98187->98196 98188 751c9c 59 API calls 98188->98195 98189 751207 59 API calls 98189->98195 98191 77eb67 98191->98196 98388 797aad 59 API calls 98191->98388 98192 797aad 59 API calls 98192->98195 98193 762f70 67 API calls __cinit 98193->98195 98195->98172 98195->98175 98195->98178 98195->98182 98195->98184 98195->98188 98195->98189 98195->98191 98195->98192 98195->98193 98195->98196 98197 77ef28 98195->98197 98199 745a1a 98195->98199 98207 746e30 98195->98207 98362 747e50 290 API calls 2 library calls 98195->98362 98389 7aa48d 89 API calls 4 library calls 98197->98389 98393 7aa48d 89 API calls 4 library calls 98199->98393 98208 746e4a 98207->98208 98211 746ff7 98207->98211 98209 7474d0 98208->98209 98208->98211 98212 746f2c 98208->98212 98220 746fdb 98208->98220 98209->98220 98399 7449e0 59 API calls wcstoxq 98209->98399 98211->98209 98213 746fbb Mailbox 98211->98213 98219 747076 98211->98219 98211->98220 98215 746f68 98212->98215 98212->98219 98212->98220 98216 77fc1e 98213->98216 98213->98220 98398 7441c4 59 API calls Mailbox 98213->98398 98215->98213 98215->98220 98221 77fa71 98215->98221 98218 77fc30 98216->98218 98397 763f69 59 API calls __wtof_l 98216->98397 98218->98195 98219->98213 98219->98216 98219->98220 98396 797aad 59 API calls 98219->98396 98220->98195 98221->98220 98395 763f69 59 API calls __wtof_l 98221->98395 98225 7453cf 98224->98225 98245 7453fd Mailbox 98224->98245 98226 760fe6 Mailbox 59 API calls 98225->98226 98226->98245 98227 762f70 67 API calls __cinit 98227->98245 98228 7469fa 98229 751c9c 59 API calls 98228->98229 98248 745569 Mailbox 98229->98248 98230 7469ff 98231 77f165 98230->98231 98232 77e691 98230->98232 98405 7aa48d 89 API calls 4 library calls 98231->98405 98401 7aa48d 89 API calls 4 library calls 98232->98401 98233 746e30 60 API calls 98233->98245 98236 77e6a0 98236->98161 98237 760fe6 59 API calls Mailbox 98237->98245 98238 77ea9a 98240 751c9c 59 API calls 98238->98240 98240->98248 98241 751c9c 59 API calls 98241->98245 98242 751207 59 API calls 98242->98245 98244 77eb67 98244->98248 98402 797aad 59 API calls 98244->98402 98245->98227 98245->98228 98245->98230 98245->98232 98245->98233 98245->98237 98245->98238 98245->98241 98245->98242 98245->98244 98246 797aad 59 API calls 98245->98246 98245->98248 98249 77ef28 98245->98249 98251 745a1a 98245->98251 98400 747e50 290 API calls 2 library calls 98245->98400 98246->98245 98248->98161 98403 7aa48d 89 API calls 4 library calls 98249->98403 98404 7aa48d 89 API calls 4 library calls 98251->98404 98406 744d37 98252->98406 98256 74d018 98257 74d57b 98256->98257 98261 74d439 Mailbox __wsetenvp 98256->98261 98454 74502b 98256->98454 98257->98181 98260 760c65 62 API calls 98260->98261 98261->98257 98261->98260 98264 744f98 59 API calls 98261->98264 98266 744d37 84 API calls 98261->98266 98267 74502b 59 API calls 98261->98267 98429 76312d 98261->98429 98439 7559d3 98261->98439 98450 755ac3 98261->98450 98458 75162d 98261->98458 98463 75153b 59 API calls 2 library calls 98261->98463 98464 744f3c 59 API calls Mailbox 98261->98464 98465 751821 98261->98465 98264->98261 98266->98261 98267->98261 98557 7bd1c6 98271->98557 98273 7be61c 98273->98181 98275 74523c 59 API calls 98274->98275 98276 7b3118 98275->98276 98688 7a7d6e 98276->98688 98278 7b3120 98278->98181 98280 7bebcd 98279->98280 98281 744d37 84 API calls 98280->98281 98283 7bebdc 98280->98283 98282 7bec0a 98281->98282 98720 7a7ce4 98282->98720 98283->98181 98286 74502b 59 API calls 98285->98286 98287 7b6604 98286->98287 98288 7b6624 98287->98288 98290 74502b 59 API calls 98287->98290 98289 7b6645 98288->98289 98291 74523c 59 API calls 98288->98291 98289->98181 98290->98288 98291->98289 98293 7b5e46 98292->98293 98294 7b5e74 WSAStartup 98293->98294 98295 74502b 59 API calls 98293->98295 98296 7b5e9d 98294->98296 98316 7b5e88 Mailbox 98294->98316 98297 7b5e61 98295->98297 98764 7540cd 98296->98764 98297->98294 98300 74502b 59 API calls 98297->98300 98302 7b5e70 98300->98302 98301 744d37 84 API calls 98303 7b5eb2 98301->98303 98302->98294 98304 75402a 61 API calls 98303->98304 98305 7b5ebf inet_addr gethostbyname 98304->98305 98306 7b5edd IcmpCreateFile 98305->98306 98305->98316 98307 7b5f01 98306->98307 98306->98316 98308 760fe6 Mailbox 59 API calls 98307->98308 98309 7b5f1a 98308->98309 98769 75433f 98309->98769 98312 7b5f55 IcmpSendEcho 98314 7b5f6d 98312->98314 98313 7b5f34 IcmpSendEcho 98313->98314 98315 7b5fd4 IcmpCloseHandle WSACleanup 98314->98315 98315->98316 98316->98181 98318 744d37 84 API calls 98317->98318 98319 7bf1cf 98318->98319 98772 7a4148 CreateToolhelp32Snapshot Process32FirstW 98319->98772 98321 7bf1de 98321->98181 98323 7bc39a 98322->98323 98324 7bc380 98322->98324 98849 7ba8fd 98323->98849 98876 7aa48d 89 API calls 4 library calls 98324->98876 98328 7453b0 289 API calls 98329 7bc406 98328->98329 98330 7bc392 Mailbox 98329->98330 98331 7bc498 98329->98331 98334 7bc447 98329->98334 98330->98161 98332 7bc4ee 98331->98332 98333 7bc49e 98331->98333 98332->98330 98335 744d37 84 API calls 98332->98335 98877 7a7ed5 59 API calls 98333->98877 98339 7a789a 59 API calls 98334->98339 98337 7bc500 98335->98337 98340 751aa4 59 API calls 98337->98340 98338 7bc4c1 98878 7535b9 59 API calls Mailbox 98338->98878 98342 7bc477 98339->98342 98343 7bc524 CharUpperBuffW 98340->98343 98345 796ebc 289 API calls 98342->98345 98346 7bc53e 98343->98346 98344 7bc4c9 Mailbox 98879 74b020 98344->98879 98345->98330 98347 7bc591 98346->98347 98350 7bc545 98346->98350 98349 744d37 84 API calls 98347->98349 98351 7bc599 98349->98351 98856 7a789a 98350->98856 98921 745376 60 API calls 98351->98921 98356 7bc5a3 98356->98330 98357 744d37 84 API calls 98356->98357 98358 7bc5be 98357->98358 98922 7535b9 59 API calls Mailbox 98358->98922 98360 7bc5ce 98361 74b020 289 API calls 98360->98361 98361->98330 98362->98195 98365 74519b 98363->98365 98364 7451d2 98364->98181 98365->98364 99595 7441c4 59 API calls Mailbox 98365->99595 98367 7451fd 98367->98181 98369 74524a 98368->98369 98371 745250 98368->98371 98370 751c9c 59 API calls 98369->98370 98369->98371 98370->98371 98371->98161 98372->98164 98373->98154 98374->98168 98375->98171 98377 751ca7 98376->98377 98378 751caf 98376->98378 98379 751bcc 59 API calls 98377->98379 98378->98161 98379->98378 98380->98161 98382 751a45 __wsetenvp _memmove 98381->98382 98383 760fe6 Mailbox 59 API calls 98382->98383 98384 751a83 98383->98384 98384->98161 98385->98161 98386->98181 98387->98180 98388->98196 98389->98199 98390->98148 98391->98196 98392->98148 98393->98196 98394->98196 98395->98221 98396->98213 98397->98218 98398->98213 98399->98220 98400->98245 98401->98236 98402->98248 98403->98251 98404->98248 98405->98248 98407 744d51 98406->98407 98416 744d4b 98406->98416 98408 77db28 __i64tow 98407->98408 98409 744d99 98407->98409 98413 744d57 __itow 98407->98413 98414 77da2f 98407->98414 98474 7638c8 83 API calls 3 library calls 98409->98474 98412 760fe6 Mailbox 59 API calls 98415 744d71 98412->98415 98413->98412 98417 760fe6 Mailbox 59 API calls 98414->98417 98422 77daa7 Mailbox _wcscpy 98414->98422 98415->98416 98418 751a36 59 API calls 98415->98418 98424 745278 98416->98424 98419 77da74 98417->98419 98418->98416 98420 760fe6 Mailbox 59 API calls 98419->98420 98421 77da9a 98420->98421 98421->98422 98423 751a36 59 API calls 98421->98423 98475 7638c8 83 API calls 3 library calls 98422->98475 98423->98422 98425 760fe6 Mailbox 59 API calls 98424->98425 98426 745285 98425->98426 98427 745294 98426->98427 98428 751a36 59 API calls 98426->98428 98427->98256 98428->98427 98430 7631ae 98429->98430 98431 763139 98429->98431 98478 7631c0 60 API calls 3 library calls 98430->98478 98438 76315e 98431->98438 98476 768d58 58 API calls __getptd_noexit 98431->98476 98434 7631bb 98434->98261 98435 763145 98477 768fe6 9 API calls __swprintf 98435->98477 98437 763150 98437->98261 98438->98261 98440 7559fe _memset 98439->98440 98479 755800 98440->98479 98444 755a9d Shell_NotifyIconW 98446 755aab 98444->98446 98445 755ab9 Shell_NotifyIconW 98445->98446 98483 7556f8 98446->98483 98448 755a83 98448->98444 98448->98445 98449 755ab2 98449->98261 98451 755b25 98450->98451 98452 755ad5 _memset 98450->98452 98451->98261 98453 755af4 Shell_NotifyIconW 98452->98453 98453->98451 98455 74503c 98454->98455 98456 745041 98454->98456 98455->98456 98547 7637ba 59 API calls 98455->98547 98456->98261 98459 760fe6 Mailbox 59 API calls 98458->98459 98460 751652 98459->98460 98461 760fe6 Mailbox 59 API calls 98460->98461 98462 751660 98461->98462 98462->98261 98463->98261 98464->98261 98466 75182d __wsetenvp 98465->98466 98467 75189a 98465->98467 98469 751843 98466->98469 98470 751868 98466->98470 98549 751981 98467->98549 98548 751b7c 59 API calls Mailbox 98469->98548 98471 751c7e 59 API calls 98470->98471 98473 75184b _memmove 98471->98473 98473->98261 98474->98413 98475->98408 98476->98435 98477->98437 98478->98434 98480 755810 98479->98480 98481 75581c 98479->98481 98480->98448 98513 7a34dd 62 API calls _W_store_winword 98480->98513 98481->98480 98482 755821 DestroyIcon 98481->98482 98482->98480 98484 755715 98483->98484 98504 7557fa Mailbox 98483->98504 98485 75162d 59 API calls 98484->98485 98486 755723 98485->98486 98487 790c4c LoadStringW 98486->98487 98488 755730 98486->98488 98491 790c66 98487->98491 98489 751821 59 API calls 98488->98489 98490 755745 98489->98490 98492 755752 98490->98492 98499 790c74 98490->98499 98493 751c9c 59 API calls 98491->98493 98492->98491 98494 755760 98492->98494 98500 755778 _memset _wcscpy 98493->98500 98514 751900 98494->98514 98498 790cb7 Mailbox 98531 7638c8 83 API calls 3 library calls 98498->98531 98499->98498 98499->98500 98501 751207 59 API calls 98499->98501 98502 7557e0 Shell_NotifyIconW 98500->98502 98503 790c9e 98501->98503 98502->98504 98530 7a0252 60 API calls Mailbox 98503->98530 98504->98449 98507 790ca9 98509 7517e0 59 API calls 98507->98509 98508 790cd6 98510 751900 59 API calls 98508->98510 98509->98498 98511 790ce7 98510->98511 98512 751900 59 API calls 98511->98512 98512->98500 98513->98448 98515 751914 98514->98515 98516 78f534 98514->98516 98532 7518a5 98515->98532 98537 751c7e 98516->98537 98519 75191f 98521 7517e0 98519->98521 98520 78f53f __wsetenvp _memmove 98522 7517f2 98521->98522 98523 78f401 98521->98523 98540 751680 98522->98540 98546 7987f9 59 API calls _memmove 98523->98546 98526 7517fe 98526->98500 98527 78f40b 98528 751c9c 59 API calls 98527->98528 98529 78f413 Mailbox 98528->98529 98530->98507 98531->98508 98533 7518b4 __wsetenvp 98532->98533 98534 751c7e 59 API calls 98533->98534 98535 7518c5 _memmove 98533->98535 98536 78f4f1 _memmove 98534->98536 98535->98519 98538 760fe6 Mailbox 59 API calls 98537->98538 98539 751c88 98538->98539 98539->98520 98541 751692 98540->98541 98545 7516ba _memmove 98540->98545 98542 760fe6 Mailbox 59 API calls 98541->98542 98541->98545 98544 75176f _memmove 98542->98544 98543 760fe6 Mailbox 59 API calls 98543->98544 98544->98543 98545->98526 98546->98527 98547->98456 98548->98473 98550 751998 _memmove 98549->98550 98551 75198f 98549->98551 98550->98473 98551->98550 98553 751aa4 98551->98553 98554 751ab7 98553->98554 98556 751ab4 _memmove 98553->98556 98555 760fe6 Mailbox 59 API calls 98554->98555 98555->98556 98556->98550 98558 744d37 84 API calls 98557->98558 98559 7bd203 98558->98559 98582 7bd24a Mailbox 98559->98582 98595 7bde8e 98559->98595 98561 7bd4a2 98562 7bd617 98561->98562 98566 7bd4b0 98561->98566 98645 7bdfb1 92 API calls Mailbox 98562->98645 98565 7bd626 98565->98566 98567 7bd632 98565->98567 98608 7bd057 98566->98608 98567->98582 98568 744d37 84 API calls 98585 7bd29b Mailbox 98568->98585 98573 7bd4e9 98623 760e38 98573->98623 98576 7bd51c 98631 7447be 98576->98631 98577 7bd503 98630 7aa48d 89 API calls 4 library calls 98577->98630 98580 7bd50e GetCurrentProcess TerminateProcess 98580->98576 98582->98273 98585->98561 98585->98568 98585->98582 98628 7afc0d 59 API calls 2 library calls 98585->98628 98629 7bd6c8 61 API calls 2 library calls 98585->98629 98586 7bd68d 98586->98582 98590 7bd6a1 FreeLibrary 98586->98590 98588 7bd554 98643 7bdd32 107 API calls _free 98588->98643 98590->98582 98593 74523c 59 API calls 98594 7bd565 98593->98594 98594->98586 98594->98593 98644 744230 59 API calls Mailbox 98594->98644 98646 7bdd32 107 API calls _free 98594->98646 98596 751aa4 59 API calls 98595->98596 98597 7bdea9 CharLowerBuffW 98596->98597 98647 79f903 98597->98647 98601 751207 59 API calls 98602 7bdee2 98601->98602 98654 751462 98602->98654 98604 7bdef9 98606 751981 59 API calls 98604->98606 98605 7bdf41 Mailbox 98605->98585 98607 7bdf05 Mailbox 98606->98607 98607->98605 98667 7bd6c8 61 API calls 2 library calls 98607->98667 98609 7bd0c7 98608->98609 98610 7bd072 98608->98610 98614 7be139 98609->98614 98611 760fe6 Mailbox 59 API calls 98610->98611 98613 7bd094 98611->98613 98612 760fe6 Mailbox 59 API calls 98612->98613 98613->98609 98613->98612 98615 7be362 Mailbox 98614->98615 98622 7be15c _strcat _wcscpy __wsetenvp 98614->98622 98615->98573 98616 745087 59 API calls 98616->98622 98617 7450d5 59 API calls 98617->98622 98618 74502b 59 API calls 98618->98622 98619 744d37 84 API calls 98619->98622 98620 76593c 58 API calls __crtGetStringTypeA_stat 98620->98622 98622->98615 98622->98616 98622->98617 98622->98618 98622->98619 98622->98620 98676 7a5e42 61 API calls 2 library calls 98622->98676 98624 760e4d 98623->98624 98625 760ee5 SetErrorMode 98624->98625 98626 760ed3 CloseHandle 98624->98626 98627 760eb3 98624->98627 98625->98627 98626->98627 98627->98576 98627->98577 98628->98585 98629->98585 98630->98580 98632 7447c6 98631->98632 98633 760fe6 Mailbox 59 API calls 98632->98633 98634 7447d4 98633->98634 98635 7447e0 98634->98635 98677 7446ec 98634->98677 98637 744540 98635->98637 98680 744650 98637->98680 98639 74454f 98640 760fe6 Mailbox 59 API calls 98639->98640 98641 7445eb 98639->98641 98640->98641 98641->98594 98642 744230 59 API calls Mailbox 98641->98642 98642->98588 98643->98594 98644->98594 98645->98565 98646->98594 98648 79f92e __wsetenvp 98647->98648 98649 79f96d 98648->98649 98652 79f963 98648->98652 98653 79fa14 98648->98653 98649->98601 98649->98607 98651 7514db 61 API calls 98651->98653 98652->98649 98668 7514db 98652->98668 98653->98649 98653->98651 98655 751471 98654->98655 98656 7514ce 98654->98656 98655->98656 98658 75147c 98655->98658 98657 751981 59 API calls 98656->98657 98664 75149f _memmove 98657->98664 98659 751497 98658->98659 98660 78f1de 98658->98660 98675 751b7c 59 API calls Mailbox 98659->98675 98661 751c7e 59 API calls 98660->98661 98663 78f1e8 98661->98663 98665 760fe6 Mailbox 59 API calls 98663->98665 98664->98604 98666 78f208 98665->98666 98667->98605 98669 7514e9 CompareStringW 98668->98669 98673 78f210 98668->98673 98672 75150c 98669->98672 98671 78f25f 98672->98652 98673->98671 98674 764eb8 60 API calls 98673->98674 98674->98673 98675->98664 98676->98622 98678 760fe6 Mailbox 59 API calls 98677->98678 98679 7446f9 98678->98679 98679->98635 98681 744659 Mailbox 98680->98681 98682 77d6ec 98681->98682 98687 744663 98681->98687 98683 760fe6 Mailbox 59 API calls 98682->98683 98685 77d6f8 98683->98685 98684 74466a 98684->98639 98686 745190 Mailbox 59 API calls 98686->98687 98687->98684 98687->98686 98689 7a7ea5 98688->98689 98690 7a7d85 98688->98690 98689->98278 98691 7a7dc5 98690->98691 98692 7a7d9d 98690->98692 98695 7a7ddc 98690->98695 98693 760fe6 Mailbox 59 API calls 98691->98693 98692->98691 98698 7a7dad 98692->98698 98694 7a7dbb Mailbox _memmove 98693->98694 98704 760fe6 Mailbox 59 API calls 98694->98704 98696 7a7df9 98695->98696 98697 760fe6 Mailbox 59 API calls 98695->98697 98696->98694 98699 7a7e32 98696->98699 98700 7a7e24 98696->98700 98697->98696 98705 760fe6 Mailbox 59 API calls 98698->98705 98702 760fe6 Mailbox 59 API calls 98699->98702 98701 760fe6 Mailbox 59 API calls 98700->98701 98701->98694 98703 7a7e38 98702->98703 98709 7a7a26 59 API calls Mailbox 98703->98709 98704->98689 98705->98694 98707 7a7e44 98710 75402a WideCharToMultiByte 98707->98710 98709->98707 98711 754085 98710->98711 98712 75404e 98710->98712 98719 753f20 59 API calls Mailbox 98711->98719 98713 760fe6 Mailbox 59 API calls 98712->98713 98715 754055 WideCharToMultiByte 98713->98715 98718 753f79 59 API calls 2 library calls 98715->98718 98717 754077 98717->98694 98718->98717 98719->98717 98721 7a7cf1 98720->98721 98722 760fe6 Mailbox 59 API calls 98721->98722 98723 7a7cf8 98722->98723 98726 7a6135 98723->98726 98725 7a7d3b Mailbox 98725->98283 98727 751aa4 59 API calls 98726->98727 98728 7a6148 CharLowerBuffW 98727->98728 98731 7a615b 98728->98731 98729 751609 59 API calls 98729->98731 98730 7a6165 _memset Mailbox 98730->98725 98731->98729 98731->98730 98732 7a6195 98731->98732 98733 7a61a7 98732->98733 98759 751609 98732->98759 98735 760fe6 Mailbox 59 API calls 98733->98735 98736 7a61d5 98735->98736 98737 7a61f4 98736->98737 98762 7a6071 59 API calls 98736->98762 98744 7a6292 98737->98744 98740 7a6233 98740->98730 98741 760fe6 Mailbox 59 API calls 98740->98741 98742 7a624d 98741->98742 98743 760fe6 Mailbox 59 API calls 98742->98743 98743->98730 98745 751207 59 API calls 98744->98745 98746 7a62c4 98745->98746 98747 751207 59 API calls 98746->98747 98748 7a62cd 98747->98748 98749 751207 59 API calls 98748->98749 98753 7a62d6 _wcscmp 98749->98753 98750 751821 59 API calls 98750->98753 98751 7a65ab Mailbox 98751->98740 98752 763836 GetStringTypeW 98752->98753 98753->98750 98753->98751 98753->98752 98755 7637ba 59 API calls 98753->98755 98756 7a6292 60 API calls 98753->98756 98757 75153b 59 API calls 98753->98757 98758 751c9c 59 API calls 98753->98758 98763 76385c GetStringTypeW _iswctype 98753->98763 98755->98753 98756->98753 98757->98753 98758->98753 98760 751aa4 59 API calls 98759->98760 98761 751614 98760->98761 98761->98733 98762->98736 98763->98753 98765 760fe6 Mailbox 59 API calls 98764->98765 98766 7540e0 98765->98766 98767 751c7e 59 API calls 98766->98767 98768 7540ed 98767->98768 98768->98301 98770 760fe6 Mailbox 59 API calls 98769->98770 98771 754351 98770->98771 98771->98312 98771->98313 98782 7a4ce2 98772->98782 98774 7a4244 CloseHandle 98774->98321 98775 7a4195 Process32NextW 98775->98774 98781 7a418e Mailbox 98775->98781 98776 751207 59 API calls 98776->98781 98777 751a36 59 API calls 98777->98781 98779 7517e0 59 API calls 98779->98781 98781->98774 98781->98775 98781->98776 98781->98777 98781->98779 98788 760119 98781->98788 98839 75151f 98781->98839 98783 7a4d09 98782->98783 98784 7a4cf0 98782->98784 98843 7637c3 59 API calls __wcstoi64 98783->98843 98784->98783 98786 7a4d0f 98784->98786 98842 76385c GetStringTypeW _iswctype 98784->98842 98786->98781 98789 751207 59 API calls 98788->98789 98790 76012f 98789->98790 98791 751207 59 API calls 98790->98791 98792 760137 98791->98792 98793 751207 59 API calls 98792->98793 98794 76013f 98793->98794 98795 751207 59 API calls 98794->98795 98796 760147 98795->98796 98797 79627d 98796->98797 98798 76017b 98796->98798 98799 751c9c 59 API calls 98797->98799 98800 751462 59 API calls 98798->98800 98801 796286 98799->98801 98802 760189 98800->98802 98844 7519e1 98801->98844 98804 751981 59 API calls 98802->98804 98805 760193 98804->98805 98806 7601be 98805->98806 98807 751462 59 API calls 98805->98807 98808 7601fe 98806->98808 98810 7601dd 98806->98810 98821 7962a6 98806->98821 98811 7601b4 98807->98811 98809 751462 59 API calls 98808->98809 98812 76020f 98809->98812 98815 751609 59 API calls 98810->98815 98814 751981 59 API calls 98811->98814 98816 760221 98812->98816 98819 751c9c 59 API calls 98812->98819 98813 796376 98817 751821 59 API calls 98813->98817 98814->98806 98818 7601e7 98815->98818 98820 760231 98816->98820 98823 751c9c 59 API calls 98816->98823 98828 796333 98817->98828 98818->98808 98822 751462 59 API calls 98818->98822 98819->98816 98825 760238 98820->98825 98826 751c9c 59 API calls 98820->98826 98821->98813 98824 79635f 98821->98824 98830 7962dd 98821->98830 98822->98808 98823->98820 98824->98813 98831 79634a 98824->98831 98827 751c9c 59 API calls 98825->98827 98833 76023f Mailbox 98825->98833 98826->98825 98827->98833 98828->98808 98829 751609 59 API calls 98828->98829 98848 75153b 59 API calls 2 library calls 98828->98848 98829->98828 98832 79633b 98830->98832 98837 796326 98830->98837 98834 751821 59 API calls 98831->98834 98835 751821 59 API calls 98832->98835 98833->98781 98834->98828 98835->98828 98838 751821 59 API calls 98837->98838 98838->98828 98840 7514db 61 API calls 98839->98840 98841 751537 98840->98841 98841->98781 98842->98784 98843->98786 98845 7519fb 98844->98845 98847 7519ee 98844->98847 98846 760fe6 Mailbox 59 API calls 98845->98846 98846->98847 98847->98806 98848->98828 98850 7ba918 98849->98850 98851 7ba970 98849->98851 98852 760fe6 Mailbox 59 API calls 98850->98852 98851->98328 98855 7ba93a 98852->98855 98853 760fe6 Mailbox 59 API calls 98853->98855 98855->98851 98855->98853 98923 79715b 59 API calls Mailbox 98855->98923 98857 7a78ac 98856->98857 98859 7a78e3 98856->98859 98858 760fe6 Mailbox 59 API calls 98857->98858 98857->98859 98858->98859 98860 796ebc 98859->98860 98861 796f06 98860->98861 98865 796f1c Mailbox 98860->98865 98862 751a36 59 API calls 98861->98862 98862->98865 98863 796f5a 98924 74a820 98863->98924 98864 796f47 98866 7bc355 290 API calls 98864->98866 98865->98863 98865->98864 98872 796f53 98866->98872 98869 797002 98869->98330 98870 796f91 98871 796fdc 98870->98871 98870->98872 98874 796fc1 98870->98874 98871->98872 98948 7aa48d 89 API calls 4 library calls 98871->98948 98949 796cf1 59 API calls Mailbox 98872->98949 98941 79706d 98874->98941 98876->98330 98877->98338 98878->98344 99058 753740 98879->99058 98882 7830b6 99161 7aa48d 89 API calls 4 library calls 98882->99161 98883 74b07f 98883->98882 98885 7830d4 98883->98885 98902 74bb86 98883->98902 98916 74b132 Mailbox _memmove 98883->98916 99162 7aa48d 89 API calls 4 library calls 98885->99162 98887 78355e 98900 74b4dd 98887->98900 99192 7aa48d 89 API calls 4 library calls 98887->99192 98888 78318a 98888->98900 99164 7aa48d 89 API calls 4 library calls 98888->99164 98890 79730a 59 API calls 98890->98916 98894 783106 98894->98888 99163 74a9de 290 API calls 98894->99163 98897 7453b0 290 API calls 98897->98916 98898 743b31 59 API calls 98898->98916 98900->98330 99160 7aa48d 89 API calls 4 library calls 98902->99160 98903 783418 98904 7453b0 290 API calls 98903->98904 98906 783448 98904->98906 98906->98900 99186 7439be 98906->99186 98909 7831c3 99165 7aa48d 89 API calls 4 library calls 98909->99165 98910 743c30 68 API calls 98910->98916 98913 78346f 99190 7aa48d 89 API calls 4 library calls 98913->99190 98915 745190 Mailbox 59 API calls 98915->98916 98916->98887 98916->98890 98916->98894 98916->98897 98916->98898 98916->98900 98916->98902 98916->98903 98916->98909 98916->98910 98916->98913 98916->98915 98917 760fe6 59 API calls Mailbox 98916->98917 98918 74523c 59 API calls 98916->98918 98919 751c9c 59 API calls 98916->98919 99063 743add 98916->99063 99070 74bc70 98916->99070 99149 743a40 98916->99149 99166 796c62 59 API calls 2 library calls 98916->99166 99167 7ba9c3 85 API calls Mailbox 98916->99167 99168 796c1e 59 API calls Mailbox 98916->99168 99169 7a5ef2 68 API calls 98916->99169 99170 743ea3 98916->99170 99191 7aa12a 59 API calls 98916->99191 98917->98916 98918->98916 98919->98916 98921->98356 98922->98360 98923->98855 98925 782d51 98924->98925 98928 74a84c 98924->98928 98951 7aa48d 89 API calls 4 library calls 98925->98951 98927 782d62 98927->98870 98929 782d6a 98928->98929 98936 74a888 _memmove 98928->98936 98952 7aa48d 89 API calls 4 library calls 98929->98952 98931 760fe6 59 API calls Mailbox 98931->98936 98933 782dae 98953 74a9de 290 API calls 98933->98953 98934 7453b0 290 API calls 98934->98936 98936->98931 98936->98933 98936->98934 98937 782dc8 98936->98937 98938 74a975 98936->98938 98939 74a962 98936->98939 98937->98938 98954 7aa48d 89 API calls 4 library calls 98937->98954 98938->98870 98939->98938 98950 7ba9c3 85 API calls Mailbox 98939->98950 98942 797085 98941->98942 98946 7446ec 59 API calls 98942->98946 98947 7bf1b2 91 API calls 98942->98947 98955 74ec83 98942->98955 99030 7b495b 98942->99030 98943 7970d9 98943->98872 98946->98943 98947->98943 98948->98872 98949->98869 98950->98938 98951->98927 98952->98938 98953->98937 98954->98938 98956 744d37 84 API calls 98955->98956 98957 74eca2 98956->98957 98958 744d37 84 API calls 98957->98958 98959 74ecb7 98958->98959 98960 744d37 84 API calls 98959->98960 98961 74ecca 98960->98961 98962 744d37 84 API calls 98961->98962 98963 74ece0 98962->98963 98964 75162d 59 API calls 98963->98964 98965 74ecf4 98964->98965 98966 74ed19 98965->98966 98967 74502b 59 API calls 98965->98967 98968 785b67 98966->98968 98995 74ed43 __wopenfile 98966->98995 98967->98966 98969 7447be 59 API calls 98968->98969 98970 785b7a 98969->98970 98972 744540 59 API calls 98970->98972 98971 74ef3e 98973 7447be 59 API calls 98971->98973 98974 785b8c 98972->98974 98976 785d4a 98973->98976 98980 7443d0 59 API calls 98974->98980 99008 785bb1 98974->99008 98975 744d37 84 API calls 98977 74edca 98975->98977 98978 785d53 98976->98978 98979 785d97 98976->98979 98981 744d37 84 API calls 98977->98981 98983 744540 59 API calls 98978->98983 98982 744540 59 API calls 98979->98982 98980->99008 98984 74eddf 98981->98984 98985 785da1 98982->98985 98988 785d5e 98983->98988 98984->98971 98991 7447be 59 API calls 98984->98991 98989 7443d0 59 API calls 98985->98989 98987 785c0f 98987->98971 98998 744540 59 API calls 98987->98998 98990 744d37 84 API calls 98988->98990 98992 785dbd 98989->98992 98994 785d70 98990->98994 98997 74edfe 98991->98997 99006 744d37 84 API calls 98992->99006 98993 74477a 59 API calls 98993->99008 99054 751364 59 API calls 2 library calls 98994->99054 98995->98971 98995->98975 98995->98987 99020 74ee30 __wopenfile 98995->99020 98997->98987 99000 74ee09 98997->99000 99002 785c76 98998->99002 98999 785d84 99004 74477a 59 API calls 98999->99004 99005 744540 59 API calls 99000->99005 99001 7443d0 59 API calls 99001->99008 99003 7443d0 59 API calls 99002->99003 99003->99020 99009 785d92 99004->99009 99010 74ee18 99005->99010 99011 785dd8 99006->99011 99008->98993 99008->99001 99017 74ef0c Mailbox 99008->99017 99052 751364 59 API calls 2 library calls 99008->99052 99015 7443d0 59 API calls 99009->99015 99012 7519e1 59 API calls 99010->99012 99055 751364 59 API calls 2 library calls 99011->99055 99012->99020 99015->99017 99016 785dec 99018 74477a 59 API calls 99016->99018 99017->98943 99018->99009 99020->99017 99022 785cc2 99020->99022 99039 751364 59 API calls 2 library calls 99020->99039 99040 74477a 99020->99040 99043 7443d0 99020->99043 99021 785cfb 99024 74477a 59 API calls 99021->99024 99022->99021 99023 785cec 99022->99023 99053 75153b 59 API calls 2 library calls 99023->99053 99026 785d09 99024->99026 99027 7443d0 59 API calls 99026->99027 99028 785d1c 99027->99028 99029 7519e1 59 API calls 99028->99029 99029->98971 99031 760fe6 Mailbox 59 API calls 99030->99031 99032 7b496c 99031->99032 99033 75433f 59 API calls 99032->99033 99034 7b4976 99033->99034 99035 744d37 84 API calls 99034->99035 99036 7b498d GetEnvironmentVariableW 99035->99036 99057 7a7a51 59 API calls Mailbox 99036->99057 99038 7b49aa 99038->98943 99039->99020 99041 760fe6 Mailbox 59 API calls 99040->99041 99042 744787 99041->99042 99042->99020 99044 77d6c9 99043->99044 99046 7443e7 99043->99046 99044->99046 99056 7440cb 59 API calls Mailbox 99044->99056 99047 7444ef 99046->99047 99048 744530 99046->99048 99049 7444e8 99046->99049 99047->99020 99050 74523c 59 API calls 99048->99050 99051 760fe6 Mailbox 59 API calls 99049->99051 99050->99047 99051->99047 99052->99008 99053->98971 99054->98999 99055->99016 99056->99046 99057->99038 99059 75374f 99058->99059 99062 75376a 99058->99062 99060 751aa4 59 API calls 99059->99060 99061 753757 CharUpperBuffW 99060->99061 99061->99062 99062->98883 99064 77d3cd 99063->99064 99065 743aee 99063->99065 99066 760fe6 Mailbox 59 API calls 99065->99066 99067 743af5 99066->99067 99068 743b16 99067->99068 99193 743ba5 59 API calls Mailbox 99067->99193 99068->98916 99071 78359f 99070->99071 99081 74bc95 99070->99081 99321 7aa48d 89 API calls 4 library calls 99071->99321 99073 74bf3b 99073->98916 99080 74c2ca LockWindowUpdate DestroyWindow GetMessageW 99080->99073 99082 74c2fc 99080->99082 99130 74bca5 Mailbox 99081->99130 99322 745376 60 API calls 99081->99322 99323 79700c 290 API calls 99081->99323 99083 784509 TranslateMessage DispatchMessageW GetMessageW 99082->99083 99083->99073 99083->99083 99084 7836b3 Sleep 99084->99130 99085 78405d WaitForSingleObject 99089 78407d GetExitCodeProcess CloseHandle 99085->99089 99085->99130 99086 74bf54 timeGetTime 99086->99130 99088 74c210 Sleep 99088->99130 99097 74c36b 99089->99097 99090 751c9c 59 API calls 99090->99130 99091 751207 59 API calls 99122 783895 Mailbox 99091->99122 99092 7843a9 Sleep 99092->99122 99093 760fe6 59 API calls Mailbox 99093->99130 99097->98916 99098 74c324 timeGetTime 99320 745376 60 API calls 99098->99320 99100 7a4148 66 API calls 99100->99122 99102 784440 GetExitCodeProcess 99107 78446c CloseHandle 99102->99107 99108 784456 WaitForSingleObject 99102->99108 99103 744d37 84 API calls 99103->99130 99104 7c6562 110 API calls 99104->99122 99105 746d79 109 API calls 99105->99130 99107->99122 99108->99107 99108->99130 99110 7838aa Sleep 99110->99130 99111 7844c8 Sleep 99111->99130 99112 751a36 59 API calls 99112->99122 99116 745376 60 API calls 99116->99130 99118 743ea3 68 API calls 99118->99122 99119 74c26d 99125 751a36 59 API calls 99119->99125 99120 74b020 268 API calls 99120->99130 99122->99091 99122->99097 99122->99100 99122->99102 99122->99104 99122->99110 99122->99111 99122->99112 99122->99118 99122->99130 99329 7a2baf 60 API calls 99122->99329 99330 745376 60 API calls 99122->99330 99331 746cd8 290 API calls 99122->99331 99333 76083e timeGetTime 99122->99333 99123 751a36 59 API calls 99123->99130 99127 74bf25 Mailbox 99125->99127 99126 7bc355 268 API calls 99126->99130 99127->99073 99290 74c460 99127->99290 99129 74a820 268 API calls 99129->99130 99130->99084 99130->99085 99130->99086 99130->99088 99130->99090 99130->99092 99130->99093 99130->99097 99130->99098 99130->99103 99130->99105 99130->99116 99130->99119 99130->99120 99130->99122 99130->99123 99130->99126 99130->99127 99130->99129 99131 743ea3 68 API calls 99130->99131 99132 7439be 68 API calls 99130->99132 99133 7453b0 268 API calls 99130->99133 99134 796cf1 59 API calls Mailbox 99130->99134 99135 743a40 59 API calls 99130->99135 99136 7aa48d 89 API calls 99130->99136 99137 783e13 VariantClear 99130->99137 99138 7441c4 59 API calls Mailbox 99130->99138 99139 783ea9 VariantClear 99130->99139 99140 797aad 59 API calls 99130->99140 99141 783c57 VariantClear 99130->99141 99142 746cd8 268 API calls 99130->99142 99143 745190 59 API calls Mailbox 99130->99143 99145 7be60c 130 API calls 99130->99145 99194 7452b0 99130->99194 99203 749a00 99130->99203 99210 749c80 99130->99210 99241 7a412a 99130->99241 99244 7abcd6 99130->99244 99276 7ac270 99130->99276 99283 7c64b2 99130->99283 99309 7a57ff 99130->99309 99319 76083e timeGetTime 99130->99319 99324 7c6655 59 API calls 99130->99324 99325 7aa058 59 API calls Mailbox 99130->99325 99326 79e0aa 59 API calls 99130->99326 99327 796c62 59 API calls 2 library calls 99130->99327 99328 7438ff 59 API calls 99130->99328 99332 7970e2 59 API calls 99130->99332 99131->99130 99132->99130 99133->99130 99134->99130 99135->99130 99136->99130 99137->99130 99138->99130 99139->99130 99140->99130 99141->99130 99142->99130 99143->99130 99145->99130 99150 77d3b1 99149->99150 99153 743a53 99149->99153 99151 77d3c1 99150->99151 99586 796d17 59 API calls 99150->99586 99154 743a7d 99153->99154 99155 743a9a Mailbox 99153->99155 99578 743b31 99153->99578 99157 743b31 59 API calls 99154->99157 99158 743a83 99154->99158 99155->98916 99157->99158 99158->99155 99159 745190 Mailbox 59 API calls 99158->99159 99159->99155 99160->98882 99161->98900 99162->98900 99163->98888 99164->98900 99165->98900 99166->98916 99167->98916 99168->98916 99169->98916 99587 743c30 99170->99587 99172 743eb3 99173 743f2d 99172->99173 99174 743ebd 99172->99174 99176 74523c 59 API calls 99173->99176 99175 760fe6 Mailbox 59 API calls 99174->99175 99177 743ece 99175->99177 99178 743f1d 99176->99178 99179 743edc 99177->99179 99180 751207 59 API calls 99177->99180 99178->98916 99181 743eeb 99179->99181 99182 751bcc 59 API calls 99179->99182 99180->99179 99183 760fe6 Mailbox 59 API calls 99181->99183 99182->99181 99184 743ef5 99183->99184 99594 743bc8 68 API calls 99184->99594 99187 7439c9 99186->99187 99188 7439f0 99187->99188 99189 743ea3 68 API calls 99187->99189 99188->98913 99189->99188 99190->98900 99191->98916 99192->98900 99193->99068 99195 7452c6 99194->99195 99196 745313 99194->99196 99195->99196 99197 7452d3 PeekMessageW 99195->99197 99198 7452ec 99196->99198 99200 77df68 TranslateAcceleratorW 99196->99200 99201 745352 TranslateMessage DispatchMessageW 99196->99201 99202 74533e PeekMessageW 99196->99202 99334 74359e 99196->99334 99197->99196 99197->99198 99198->99130 99200->99196 99200->99202 99201->99202 99202->99196 99202->99198 99204 749a31 99203->99204 99205 749a1d 99203->99205 99373 7aa48d 89 API calls 4 library calls 99204->99373 99339 7494e0 99205->99339 99207 749a28 99207->99130 99209 782478 99209->99209 99211 749cb5 99210->99211 99212 78247d 99211->99212 99215 749d1f 99211->99215 99225 749d79 99211->99225 99213 7453b0 290 API calls 99212->99213 99214 782492 99213->99214 99239 749f50 Mailbox 99214->99239 99385 7aa48d 89 API calls 4 library calls 99214->99385 99218 751207 59 API calls 99215->99218 99215->99225 99216 751207 59 API calls 99216->99225 99219 7824d8 99218->99219 99221 762f70 __cinit 67 API calls 99219->99221 99220 762f70 __cinit 67 API calls 99220->99225 99221->99225 99222 7824fa 99222->99130 99223 7439be 68 API calls 99223->99239 99224 7453b0 290 API calls 99224->99239 99225->99216 99225->99220 99225->99222 99227 749f3a 99225->99227 99225->99239 99227->99239 99386 7aa48d 89 API calls 4 library calls 99227->99386 99229 745190 Mailbox 59 API calls 99229->99239 99230 74a775 99390 7aa48d 89 API calls 4 library calls 99230->99390 99232 7827f9 99232->99130 99233 744230 59 API calls 99233->99239 99236 7aa48d 89 API calls 99236->99239 99239->99223 99239->99224 99239->99229 99239->99230 99239->99233 99239->99236 99240 74a058 99239->99240 99381 751bcc 99239->99381 99387 797aad 59 API calls 99239->99387 99388 7bccac 290 API calls 99239->99388 99389 7bbc26 290 API calls Mailbox 99239->99389 99391 7b9ab0 290 API calls Mailbox 99239->99391 99240->99130 99392 7a494a GetFileAttributesW 99241->99392 99245 7abcf5 99244->99245 99273 7abdbb Mailbox 99244->99273 99246 74502b 59 API calls 99245->99246 99248 7abd00 99246->99248 99247 744d37 84 API calls 99249 7abdf3 99247->99249 99251 74502b 59 API calls 99248->99251 99250 744d37 84 API calls 99249->99250 99253 7abe05 99250->99253 99252 7abd14 99251->99252 99255 751207 59 API calls 99252->99255 99252->99273 99396 7a3ce2 99253->99396 99256 7abd25 99255->99256 99257 751207 59 API calls 99256->99257 99258 7abd2e 99257->99258 99259 744d37 84 API calls 99258->99259 99260 7abd3b 99259->99260 99261 760119 59 API calls 99260->99261 99262 7abd4e 99261->99262 99263 7517e0 59 API calls 99262->99263 99264 7abd5f 99263->99264 99265 7abdb1 99264->99265 99266 7a412a 3 API calls 99264->99266 99267 74502b 59 API calls 99265->99267 99268 7abd6e 99266->99268 99267->99273 99268->99265 99269 7abd72 99268->99269 99270 751a36 59 API calls 99269->99270 99271 7abd7f 99270->99271 99442 7a3f1d 63 API calls Mailbox 99271->99442 99273->99247 99274 7abdc3 Mailbox 99273->99274 99274->99130 99275 7abd88 Mailbox 99275->99265 99277 744d37 84 API calls 99276->99277 99278 7ac286 99277->99278 99528 7a4005 99278->99528 99280 7ac28e 99281 7ac292 GetLastError 99280->99281 99282 7ac2a7 99280->99282 99281->99282 99282->99130 99552 7c65c1 99283->99552 99285 7c64c0 99286 74bc70 290 API calls 99285->99286 99287 7c64eb 99286->99287 99288 74523c 59 API calls 99287->99288 99289 7c6503 99288->99289 99289->99130 99569 7602d4 99290->99569 99292 74c46d 99293 74c2b6 99292->99293 99294 7845dc 99292->99294 99293->99073 99297 74c483 99293->99297 99573 7a77eb 7 API calls Mailbox 99294->99573 99574 7a77eb 7 API calls Mailbox 99294->99574 99298 751a36 59 API calls 99297->99298 99299 74c4ad 99298->99299 99300 743ea3 68 API calls 99299->99300 99301 74c4c2 Mailbox 99300->99301 99302 751a36 59 API calls 99301->99302 99303 74c4ef 99302->99303 99304 743ea3 68 API calls 99303->99304 99307 74c500 Mailbox 99304->99307 99305 74c524 99305->99080 99307->99305 99576 745376 60 API calls 99307->99576 99577 79700c 290 API calls 99307->99577 99310 7a580c 99309->99310 99311 7a587d 99309->99311 99312 7a580e Sleep 99310->99312 99314 7a5817 QueryPerformanceCounter 99310->99314 99311->99130 99312->99311 99314->99312 99315 7a5825 QueryPerformanceFrequency 99314->99315 99316 7a582f Sleep QueryPerformanceCounter 99315->99316 99317 7a5870 99316->99317 99317->99316 99318 7a5874 99317->99318 99318->99311 99319->99130 99320->99130 99321->99081 99322->99081 99323->99081 99324->99130 99325->99130 99326->99130 99327->99130 99328->99130 99329->99122 99330->99122 99331->99122 99332->99130 99333->99122 99335 7435e2 99334->99335 99337 7435b0 99334->99337 99335->99196 99336 7435d5 IsDialogMessageW 99336->99335 99336->99337 99337->99335 99337->99336 99338 77d273 GetClassLongW 99337->99338 99338->99336 99338->99337 99340 7453b0 290 API calls 99339->99340 99341 74951f 99340->99341 99342 782001 99341->99342 99350 749527 _memmove 99341->99350 99343 745190 Mailbox 59 API calls 99342->99343 99348 749944 99343->99348 99344 7822c0 99380 7aa48d 89 API calls 4 library calls 99344->99380 99346 7822de 99346->99346 99347 749583 99347->99207 99352 760fe6 Mailbox 59 API calls 99348->99352 99349 74986a 99353 7822b1 99349->99353 99354 74987f 99349->99354 99350->99344 99350->99347 99350->99348 99351 760fe6 59 API calls Mailbox 99350->99351 99358 7496cf 99350->99358 99368 749741 99350->99368 99351->99350 99357 7496e3 _memmove 99352->99357 99379 7ba983 59 API calls 99353->99379 99356 760fe6 Mailbox 59 API calls 99354->99356 99366 74977d 99356->99366 99359 760fe6 Mailbox 59 API calls 99357->99359 99363 74970e 99357->99363 99357->99368 99358->99348 99360 7496dc 99358->99360 99359->99363 99362 760fe6 Mailbox 59 API calls 99360->99362 99361 7822a0 99378 7aa48d 89 API calls 4 library calls 99361->99378 99362->99357 99363->99368 99374 74cca0 290 API calls 99363->99374 99366->99207 99368->99349 99368->99361 99368->99366 99369 782278 99368->99369 99371 782253 99368->99371 99375 748180 290 API calls 99368->99375 99377 7aa48d 89 API calls 4 library calls 99369->99377 99376 7aa48d 89 API calls 4 library calls 99371->99376 99373->99209 99374->99368 99375->99368 99376->99366 99377->99366 99378->99366 99379->99344 99380->99346 99382 751bef _memmove 99381->99382 99383 751bdc 99381->99383 99382->99239 99383->99382 99384 760fe6 Mailbox 59 API calls 99383->99384 99384->99382 99385->99239 99386->99239 99387->99239 99388->99239 99389->99239 99390->99232 99391->99239 99393 7a4131 99392->99393 99394 7a4965 FindFirstFileW 99392->99394 99393->99130 99394->99393 99395 7a497a FindClose 99394->99395 99395->99393 99397 751207 59 API calls 99396->99397 99398 7a3cff 99397->99398 99399 751207 59 API calls 99398->99399 99400 7a3d07 99399->99400 99401 751207 59 API calls 99400->99401 99402 7a3d0f 99401->99402 99403 751207 59 API calls 99402->99403 99404 7a3d17 99403->99404 99443 760284 99404->99443 99407 760284 60 API calls 99408 7a3d2b 99407->99408 99453 7a4f82 99408->99453 99410 7a3d36 99464 7a4fec GetFileAttributesW 99410->99464 99413 7a3d53 99415 7a4fec GetFileAttributesW 99413->99415 99414 751900 59 API calls 99414->99413 99416 7a3d5b 99415->99416 99417 7a3d68 99416->99417 99419 751900 59 API calls 99416->99419 99418 751207 59 API calls 99417->99418 99420 7a3d70 99418->99420 99419->99417 99421 751207 59 API calls 99420->99421 99422 7a3d78 99421->99422 99423 760119 59 API calls 99422->99423 99424 7a3d89 FindFirstFileW 99423->99424 99425 7a3eb4 FindClose 99424->99425 99432 7a3dac Mailbox 99424->99432 99429 7a3ebe Mailbox 99425->99429 99426 7a3e88 FindNextFileW 99426->99432 99427 751a36 59 API calls 99427->99432 99429->99274 99430 751c9c 59 API calls 99430->99432 99431 7517e0 59 API calls 99431->99432 99432->99425 99432->99426 99432->99427 99432->99430 99432->99431 99433 751900 59 API calls 99432->99433 99434 7a412a 3 API calls 99432->99434 99435 7a3e2a 99432->99435 99436 7a3eab FindClose 99432->99436 99437 7a3ef7 CopyFileExW 99432->99437 99441 7a3e6b DeleteFileW 99432->99441 99466 7a4561 99432->99466 99433->99432 99434->99432 99438 75151f 61 API calls 99435->99438 99439 7a3e4e MoveFileW 99435->99439 99440 7a3e3e DeleteFileW 99435->99440 99436->99429 99437->99432 99438->99435 99439->99432 99440->99432 99441->99432 99442->99275 99520 771b70 99443->99520 99446 7602b0 99448 751821 59 API calls 99446->99448 99447 7602cd 99449 7519e1 59 API calls 99447->99449 99450 7602bc 99448->99450 99449->99450 99522 75133d 99450->99522 99454 751207 59 API calls 99453->99454 99455 7a4f97 99454->99455 99456 751207 59 API calls 99455->99456 99457 7a4f9f 99456->99457 99458 760119 59 API calls 99457->99458 99459 7a4fae 99458->99459 99460 760119 59 API calls 99459->99460 99461 7a4fbe 99460->99461 99462 75151f 61 API calls 99461->99462 99463 7a4fce Mailbox 99462->99463 99463->99410 99465 7a3d41 99464->99465 99465->99413 99465->99414 99467 7a457d 99466->99467 99468 7a4582 99467->99468 99469 7a4590 99467->99469 99471 751c9c 59 API calls 99468->99471 99470 751207 59 API calls 99469->99470 99472 7a4598 99470->99472 99473 7a458b Mailbox 99471->99473 99474 751207 59 API calls 99472->99474 99473->99432 99475 7a45a0 99474->99475 99476 751207 59 API calls 99475->99476 99477 7a45ab 99476->99477 99478 751207 59 API calls 99477->99478 99479 7a45b3 99478->99479 99480 751207 59 API calls 99479->99480 99481 7a45bb 99480->99481 99482 751207 59 API calls 99481->99482 99483 7a45c3 99482->99483 99484 751207 59 API calls 99483->99484 99485 7a45cb 99484->99485 99486 751207 59 API calls 99485->99486 99487 7a45d3 99486->99487 99488 760119 59 API calls 99487->99488 99489 7a45ea 99488->99489 99490 760119 59 API calls 99489->99490 99491 7a4603 99490->99491 99492 751609 59 API calls 99491->99492 99493 7a460f 99492->99493 99494 7a4622 99493->99494 99495 751981 59 API calls 99493->99495 99496 751609 59 API calls 99494->99496 99495->99494 99497 7a462b 99496->99497 99498 7a463b 99497->99498 99499 751981 59 API calls 99497->99499 99500 751c9c 59 API calls 99498->99500 99499->99498 99501 7a4647 99500->99501 99502 7517e0 59 API calls 99501->99502 99503 7a4653 99502->99503 99526 7a4713 59 API calls 99503->99526 99505 7a4662 99527 7a4713 59 API calls 99505->99527 99507 7a4675 99508 751609 59 API calls 99507->99508 99509 7a467f 99508->99509 99510 7a4696 99509->99510 99511 7a4684 99509->99511 99513 751609 59 API calls 99510->99513 99512 751900 59 API calls 99511->99512 99514 7a4691 99512->99514 99515 7a469f 99513->99515 99518 7517e0 59 API calls 99514->99518 99516 7a46bd 99515->99516 99517 751900 59 API calls 99515->99517 99519 7517e0 59 API calls 99516->99519 99517->99514 99518->99516 99519->99473 99521 760291 GetFullPathNameW 99520->99521 99521->99446 99521->99447 99523 75134b 99522->99523 99524 751981 59 API calls 99523->99524 99525 75135b 99524->99525 99525->99407 99526->99505 99527->99507 99529 751207 59 API calls 99528->99529 99530 7a4024 99529->99530 99531 751207 59 API calls 99530->99531 99532 7a402d 99531->99532 99533 751207 59 API calls 99532->99533 99534 7a4036 99533->99534 99535 760284 60 API calls 99534->99535 99536 7a4041 99535->99536 99537 7a4fec GetFileAttributesW 99536->99537 99538 7a404a 99537->99538 99539 7a405c 99538->99539 99540 751900 59 API calls 99538->99540 99541 760119 59 API calls 99539->99541 99540->99539 99542 7a4070 FindFirstFileW 99541->99542 99543 7a40fc FindClose 99542->99543 99546 7a408f 99542->99546 99548 7a4107 Mailbox 99543->99548 99544 7a40d7 FindNextFileW 99544->99546 99545 751c9c 59 API calls 99545->99546 99546->99543 99546->99544 99546->99545 99547 7517e0 59 API calls 99546->99547 99549 751900 59 API calls 99546->99549 99547->99546 99548->99280 99550 7a40c8 DeleteFileW 99549->99550 99550->99544 99551 7a40f3 FindClose 99550->99551 99551->99548 99558 746de9 99552->99558 99555 7c65e2 timeGetTime 99555->99285 99556 74502b 59 API calls 99556->99555 99559 74523c 59 API calls 99558->99559 99560 746e03 99559->99560 99561 77f40f 99560->99561 99562 746e0d 99560->99562 99564 751821 59 API calls 99561->99564 99563 744d37 84 API calls 99562->99563 99566 746e1a 99563->99566 99565 77f41f 99564->99565 99565->99565 99567 751c9c 59 API calls 99566->99567 99568 746e28 99567->99568 99568->99555 99568->99556 99572 7602df 99569->99572 99570 7602e7 99570->99292 99572->99570 99575 7b2db2 InternetCloseHandle InternetCloseHandle WaitForSingleObject 99572->99575 99573->99292 99574->99292 99575->99572 99576->99307 99577->99307 99579 743b3f 99578->99579 99585 743b67 99578->99585 99580 743b4d 99579->99580 99581 743b31 59 API calls 99579->99581 99582 743b31 59 API calls 99580->99582 99583 743b53 99580->99583 99581->99580 99582->99583 99584 745190 Mailbox 59 API calls 99583->99584 99583->99585 99584->99585 99585->99154 99586->99151 99588 743e11 99587->99588 99589 743c43 99587->99589 99588->99172 99590 751207 59 API calls 99589->99590 99593 743c54 99589->99593 99591 743e73 99590->99591 99592 762f70 __cinit 67 API calls 99591->99592 99592->99593 99593->99172 99594->99178 99595->98367 99596 741016 99601 755ce7 99596->99601 99599 762f70 __cinit 67 API calls 99600 741025 99599->99600 99602 760fe6 Mailbox 59 API calls 99601->99602 99603 755cef 99602->99603 99604 74101b 99603->99604 99608 755f39 99603->99608 99604->99599 99609 755f42 99608->99609 99611 755cfb 99608->99611 99610 762f70 __cinit 67 API calls 99609->99610 99610->99611 99612 755d13 99611->99612 99613 751207 59 API calls 99612->99613 99614 755d2b GetVersionExW 99613->99614 99615 751821 59 API calls 99614->99615 99616 755d6e 99615->99616 99617 751981 59 API calls 99616->99617 99625 755d9b 99616->99625 99618 755d8f 99617->99618 99619 75133d 59 API calls 99618->99619 99619->99625 99620 755e00 GetCurrentProcess IsWow64Process 99621 755e19 99620->99621 99623 755e2f 99621->99623 99624 755e98 GetSystemInfo 99621->99624 99622 791098 99636 7555f0 99623->99636 99626 755e65 99624->99626 99625->99620 99625->99622 99626->99604 99629 755e41 99632 7555f0 2 API calls 99629->99632 99630 755e8c GetSystemInfo 99631 755e56 99630->99631 99631->99626 99634 755e5c FreeLibrary 99631->99634 99633 755e49 GetNativeSystemInfo 99632->99633 99633->99631 99634->99626 99637 755619 99636->99637 99638 7555f9 LoadLibraryA 99636->99638 99637->99629 99637->99630 99638->99637 99639 75560a GetProcAddress 99638->99639 99639->99637 99640 747357 99641 7478f5 99640->99641 99642 747360 99640->99642 99649 746fdb Mailbox 99641->99649 99651 7987f9 59 API calls _memmove 99641->99651 99642->99641 99643 744d37 84 API calls 99642->99643 99644 74738b 99643->99644 99644->99641 99645 74739b 99644->99645 99647 751680 59 API calls 99645->99647 99647->99649 99648 77f91b 99650 751c9c 59 API calls 99648->99650 99650->99649 99651->99648 99652 74107d 99657 752fc5 99652->99657 99654 74108c 99655 762f70 __cinit 67 API calls 99654->99655 99656 741096 99655->99656 99658 752fd5 __ftell_nolock 99657->99658 99659 751207 59 API calls 99658->99659 99660 75308b 99659->99660 99688 7600cf 99660->99688 99662 753094 99695 7608c1 99662->99695 99665 751900 59 API calls 99666 7530ad 99665->99666 99701 754c94 99666->99701 99669 751207 59 API calls 99670 7530c5 99669->99670 99671 7519e1 59 API calls 99670->99671 99672 7530ce RegOpenKeyExW 99671->99672 99673 7901a3 RegQueryValueExW 99672->99673 99677 7530f0 Mailbox 99672->99677 99674 7901c0 99673->99674 99675 790235 RegCloseKey 99673->99675 99676 760fe6 Mailbox 59 API calls 99674->99676 99675->99677 99687 790247 _wcscat Mailbox __wsetenvp 99675->99687 99678 7901d9 99676->99678 99677->99654 99680 75433f 59 API calls 99678->99680 99679 751609 59 API calls 99679->99687 99681 7901e4 RegQueryValueExW 99680->99681 99682 790201 99681->99682 99684 79021b 99681->99684 99683 751821 59 API calls 99682->99683 99683->99684 99684->99675 99685 751a36 59 API calls 99685->99687 99686 754c94 59 API calls 99686->99687 99687->99677 99687->99679 99687->99685 99687->99686 99689 771b70 __ftell_nolock 99688->99689 99690 7600dc GetModuleFileNameW 99689->99690 99691 751a36 59 API calls 99690->99691 99692 760102 99691->99692 99693 760284 60 API calls 99692->99693 99694 76010c Mailbox 99693->99694 99694->99662 99696 771b70 __ftell_nolock 99695->99696 99697 7608ce GetFullPathNameW 99696->99697 99698 7608f0 99697->99698 99699 751821 59 API calls 99698->99699 99700 75309f 99699->99700 99700->99665 99702 754ca2 99701->99702 99706 754cc4 _memmove 99701->99706 99704 760fe6 Mailbox 59 API calls 99702->99704 99703 760fe6 Mailbox 59 API calls 99705 7530bc 99703->99705 99704->99706 99705->99669 99706->99703 99707 77dc5a 99708 760fe6 Mailbox 59 API calls 99707->99708 99709 77dc61 99708->99709 99711 760fe6 Mailbox 59 API calls 99709->99711 99713 77dc7a _memmove 99709->99713 99710 760fe6 Mailbox 59 API calls 99712 77dc9f 99710->99712 99711->99713 99713->99710 99714 741066 99715 74106c 99714->99715 99716 762f70 __cinit 67 API calls 99715->99716 99717 741076 99716->99717 99718 7a92c8 99719 7a92d5 99718->99719 99721 7a92db 99718->99721 99720 762f85 _free 58 API calls 99719->99720 99720->99721 99722 762f85 _free 58 API calls 99721->99722 99723 7a92ec 99721->99723 99722->99723 99724 7a92fe 99723->99724 99725 762f85 _free 58 API calls 99723->99725 99725->99724 99726 77e463 99738 74373a 99726->99738 99728 77e479 99729 77e48f 99728->99729 99730 77e4fa 99728->99730 99747 745376 60 API calls 99729->99747 99732 74b020 290 API calls 99730->99732 99734 77e4ee Mailbox 99732->99734 99736 77f046 Mailbox 99734->99736 99749 7aa48d 89 API calls 4 library calls 99734->99749 99735 77e4ce 99735->99734 99748 7a890a 59 API calls Mailbox 99735->99748 99739 743746 99738->99739 99740 743758 99738->99740 99741 74523c 59 API calls 99739->99741 99742 743787 99740->99742 99743 74375e 99740->99743 99746 743750 99741->99746 99745 74523c 59 API calls 99742->99745 99744 760fe6 Mailbox 59 API calls 99743->99744 99744->99746 99745->99746 99746->99728 99747->99735 99748->99734 99749->99736 99750 767e83 99751 767e8f __setmode 99750->99751 99787 76a038 GetStartupInfoW 99751->99787 99753 767e94 99789 768dac GetProcessHeap 99753->99789 99755 767eec 99756 767ef7 99755->99756 99875 767fd3 58 API calls 3 library calls 99755->99875 99790 769d16 99756->99790 99759 767efd 99760 767f08 __RTC_Initialize 99759->99760 99876 767fd3 58 API calls 3 library calls 99759->99876 99811 76d802 99760->99811 99763 767f17 99764 767f23 GetCommandLineW 99763->99764 99877 767fd3 58 API calls 3 library calls 99763->99877 99830 775153 GetEnvironmentStringsW 99764->99830 99767 767f22 99767->99764 99770 767f3d 99771 767f48 99770->99771 99878 7632e5 58 API calls 3 library calls 99770->99878 99840 774f88 99771->99840 99774 767f4e 99775 767f59 99774->99775 99879 7632e5 58 API calls 3 library calls 99774->99879 99854 76331f 99775->99854 99778 767f61 99780 767f6c __wwincmdln 99778->99780 99880 7632e5 58 API calls 3 library calls 99778->99880 99860 755f8b 99780->99860 99782 767f80 99783 767f8f 99782->99783 99872 763588 99782->99872 99881 763310 58 API calls _doexit 99783->99881 99786 767f94 __setmode 99788 76a04e 99787->99788 99788->99753 99789->99755 99882 7633b7 36 API calls 2 library calls 99790->99882 99792 769d1b 99883 769f6c InitializeCriticalSectionAndSpinCount __mtinitlocknum 99792->99883 99794 769d24 99884 769d8c 61 API calls 2 library calls 99794->99884 99795 769d20 99795->99794 99885 769fba TlsAlloc 99795->99885 99798 769d29 99798->99759 99799 769d36 99799->99794 99800 769d41 99799->99800 99886 768a05 99800->99886 99803 769d83 99894 769d8c 61 API calls 2 library calls 99803->99894 99806 769d88 99806->99759 99807 769d62 99807->99803 99808 769d68 99807->99808 99893 769c63 58 API calls 4 library calls 99808->99893 99810 769d70 GetCurrentThreadId 99810->99759 99812 76d80e __setmode 99811->99812 99813 769e3b __lock 58 API calls 99812->99813 99814 76d815 99813->99814 99815 768a05 __calloc_crt 58 API calls 99814->99815 99817 76d826 99815->99817 99816 76d831 @_EH4_CallFilterFunc@8 __setmode 99816->99763 99817->99816 99818 76d891 GetStartupInfoW 99817->99818 99823 76d8a6 99818->99823 99827 76d9d5 99818->99827 99819 76da9d 99908 76daad LeaveCriticalSection _doexit 99819->99908 99821 768a05 __calloc_crt 58 API calls 99821->99823 99822 76da22 GetStdHandle 99822->99827 99823->99821 99825 76d8f4 99823->99825 99823->99827 99824 76da35 GetFileType 99824->99827 99826 76d928 GetFileType 99825->99826 99825->99827 99906 76a05b InitializeCriticalSectionAndSpinCount 99825->99906 99826->99825 99827->99819 99827->99822 99827->99824 99907 76a05b InitializeCriticalSectionAndSpinCount 99827->99907 99831 775164 99830->99831 99832 767f33 99830->99832 99909 768a4d 58 API calls 2 library calls 99831->99909 99836 774d4b GetModuleFileNameW 99832->99836 99834 77518a _memmove 99835 7751a0 FreeEnvironmentStringsW 99834->99835 99835->99832 99837 774d7f _wparse_cmdline 99836->99837 99839 774dbf _wparse_cmdline 99837->99839 99910 768a4d 58 API calls 2 library calls 99837->99910 99839->99770 99841 774fa1 __wsetenvp 99840->99841 99845 774f99 99840->99845 99842 768a05 __calloc_crt 58 API calls 99841->99842 99850 774fca __wsetenvp 99842->99850 99843 775021 99844 762f85 _free 58 API calls 99843->99844 99844->99845 99845->99774 99846 768a05 __calloc_crt 58 API calls 99846->99850 99847 775046 99849 762f85 _free 58 API calls 99847->99849 99849->99845 99850->99843 99850->99845 99850->99846 99850->99847 99851 77505d 99850->99851 99911 774837 58 API calls __swprintf 99850->99911 99912 768ff6 IsProcessorFeaturePresent 99851->99912 99853 775069 99853->99774 99855 76332b __IsNonwritableInCurrentImage 99854->99855 99935 76a701 99855->99935 99857 763349 __initterm_e 99858 762f70 __cinit 67 API calls 99857->99858 99859 763368 _doexit __IsNonwritableInCurrentImage 99857->99859 99858->99859 99859->99778 99861 755fa5 99860->99861 99871 756044 99860->99871 99862 755fdf IsThemeActive 99861->99862 99938 76359c 99862->99938 99866 75600b 99950 755f00 SystemParametersInfoW SystemParametersInfoW 99866->99950 99868 756017 99951 755240 99868->99951 99870 75601f SystemParametersInfoW 99870->99871 99871->99782 100940 763459 99872->100940 99874 763597 99874->99783 99875->99756 99876->99760 99877->99767 99881->99786 99882->99792 99883->99795 99884->99798 99885->99799 99887 768a0c 99886->99887 99889 768a47 99887->99889 99891 768a2a 99887->99891 99895 775426 99887->99895 99889->99803 99892 76a016 TlsSetValue 99889->99892 99891->99887 99891->99889 99903 76a362 Sleep 99891->99903 99892->99807 99893->99810 99894->99806 99896 775431 99895->99896 99901 77544c 99895->99901 99897 77543d 99896->99897 99896->99901 99904 768d58 58 API calls __getptd_noexit 99897->99904 99899 77545c HeapAlloc 99900 775442 99899->99900 99899->99901 99900->99887 99901->99899 99901->99900 99905 7635d1 DecodePointer 99901->99905 99903->99891 99904->99900 99905->99901 99906->99825 99907->99827 99908->99816 99909->99834 99910->99839 99911->99850 99913 769001 99912->99913 99918 768e89 99913->99918 99917 76901c 99917->99853 99919 768ea3 _memset ___raise_securityfailure 99918->99919 99920 768ec3 IsDebuggerPresent 99919->99920 99926 76a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99920->99926 99923 768f87 ___raise_securityfailure 99927 76c826 99923->99927 99924 768faa 99925 76a370 GetCurrentProcess TerminateProcess 99924->99925 99925->99917 99926->99923 99928 76c830 IsProcessorFeaturePresent 99927->99928 99929 76c82e 99927->99929 99931 775b3a 99928->99931 99929->99924 99934 775ae9 5 API calls 2 library calls 99931->99934 99933 775c1d 99933->99924 99934->99933 99936 76a704 EncodePointer 99935->99936 99936->99936 99937 76a71e 99936->99937 99937->99857 99939 769e3b __lock 58 API calls 99938->99939 99940 7635a7 DecodePointer EncodePointer 99939->99940 100003 769fa5 LeaveCriticalSection 99940->100003 99942 756004 99943 763604 99942->99943 99944 76360e 99943->99944 99945 763628 99943->99945 99944->99945 100004 768d58 58 API calls __getptd_noexit 99944->100004 99945->99866 99947 763618 100005 768fe6 9 API calls __swprintf 99947->100005 99949 763623 99949->99866 99950->99868 99952 75524d __ftell_nolock 99951->99952 99953 751207 59 API calls 99952->99953 99954 755258 GetCurrentDirectoryW 99953->99954 100006 754ec8 99954->100006 99956 75527e IsDebuggerPresent 99957 790b21 MessageBoxA 99956->99957 99958 75528c 99956->99958 99959 790b39 99957->99959 99958->99959 99960 7552a0 99958->99960 100114 75314d 59 API calls Mailbox 99959->100114 100074 7531bf 99960->100074 99963 790b49 99970 790b5f SetCurrentDirectoryW 99963->99970 99973 75536c Mailbox 99970->99973 99973->99870 100003->99942 100004->99947 100005->99949 100007 751207 59 API calls 100006->100007 100008 754ede 100007->100008 100116 755420 100008->100116 100010 754efc 100011 7519e1 59 API calls 100010->100011 100012 754f10 100011->100012 100013 751c9c 59 API calls 100012->100013 100014 754f1b 100013->100014 100015 74477a 59 API calls 100014->100015 100016 754f27 100015->100016 100017 751a36 59 API calls 100016->100017 100018 754f34 100017->100018 100019 7439be 68 API calls 100018->100019 100020 754f44 Mailbox 100019->100020 100021 751a36 59 API calls 100020->100021 100022 754f68 100021->100022 100023 7439be 68 API calls 100022->100023 100024 754f77 Mailbox 100023->100024 100025 751207 59 API calls 100024->100025 100026 754f94 100025->100026 100130 7555bc 100026->100130 100029 76312d _W_store_winword 60 API calls 100030 754fae 100029->100030 100031 790a54 100030->100031 100032 754fb8 100030->100032 100033 7555bc 59 API calls 100031->100033 100034 76312d _W_store_winword 60 API calls 100032->100034 100035 790a68 100033->100035 100036 754fc3 100034->100036 100038 7555bc 59 API calls 100035->100038 100036->100035 100037 754fcd 100036->100037 100039 76312d _W_store_winword 60 API calls 100037->100039 100040 790a84 100038->100040 100041 754fd8 100039->100041 100043 7600cf 61 API calls 100040->100043 100041->100040 100042 754fe2 100041->100042 100044 76312d _W_store_winword 60 API calls 100042->100044 100045 790aa7 100043->100045 100046 754fed 100044->100046 100047 7555bc 59 API calls 100045->100047 100048 790ad0 100046->100048 100049 754ff7 100046->100049 100051 790ab3 100047->100051 100050 7555bc 59 API calls 100048->100050 100052 75501b 100049->100052 100055 751c9c 59 API calls 100049->100055 100053 790aee 100050->100053 100054 751c9c 59 API calls 100051->100054 100057 7447be 59 API calls 100052->100057 100058 751c9c 59 API calls 100053->100058 100059 790ac1 100054->100059 100056 75500e 100055->100056 100061 7555bc 59 API calls 100056->100061 100062 75502a 100057->100062 100063 790afc 100058->100063 100060 7555bc 59 API calls 100059->100060 100060->100048 100061->100052 100064 744540 59 API calls 100062->100064 100065 7555bc 59 API calls 100063->100065 100066 755038 100064->100066 100067 790b0b 100065->100067 100068 7443d0 59 API calls 100066->100068 100067->100067 100071 755055 100068->100071 100069 74477a 59 API calls 100069->100071 100070 7443d0 59 API calls 100070->100071 100071->100069 100071->100070 100072 7555bc 59 API calls 100071->100072 100073 75509b Mailbox 100071->100073 100072->100071 100073->99956 100075 7531cc __ftell_nolock 100074->100075 100076 7531e5 100075->100076 100077 790314 _memset 100075->100077 100078 760284 60 API calls 100076->100078 100079 790330 GetOpenFileNameW 100077->100079 100080 7531ee 100078->100080 100081 79037f 100079->100081 100136 7609c5 100080->100136 100083 751821 59 API calls 100081->100083 100085 790394 100083->100085 100085->100085 100087 753203 100154 75278a 100087->100154 100114->99963 100117 75542d __ftell_nolock 100116->100117 100118 751821 59 API calls 100117->100118 100123 755590 Mailbox 100117->100123 100120 75545f 100118->100120 100119 751609 59 API calls 100119->100120 100120->100119 100129 755495 Mailbox 100120->100129 100121 751609 59 API calls 100121->100129 100122 755563 100122->100123 100124 751a36 59 API calls 100122->100124 100123->100010 100125 755584 100124->100125 100127 754c94 59 API calls 100125->100127 100126 751a36 59 API calls 100126->100129 100127->100123 100128 754c94 59 API calls 100128->100129 100129->100121 100129->100122 100129->100123 100129->100126 100129->100128 100131 7555c6 100130->100131 100132 7555df 100130->100132 100134 751c9c 59 API calls 100131->100134 100133 751821 59 API calls 100132->100133 100135 754fa0 100133->100135 100134->100135 100135->100029 100137 771b70 __ftell_nolock 100136->100137 100138 7609d2 GetLongPathNameW 100137->100138 100139 751821 59 API calls 100138->100139 100140 7531f7 100139->100140 100141 752f3d 100140->100141 100142 751207 59 API calls 100141->100142 100143 752f4f 100142->100143 100144 760284 60 API calls 100143->100144 100145 752f5a 100144->100145 100146 752f65 100145->100146 100147 790177 100145->100147 100149 754c94 59 API calls 100146->100149 100148 75151f 61 API calls 100147->100148 100151 790191 100147->100151 100148->100147 100150 752f71 100149->100150 100188 741307 100150->100188 100153 752f84 Mailbox 100153->100087 100194 7549c2 100154->100194 100189 741319 100188->100189 100193 741338 _memmove 100188->100193 100192 760fe6 Mailbox 59 API calls 100189->100192 100190 760fe6 Mailbox 59 API calls 100191 74134f 100190->100191 100191->100153 100192->100193 100193->100190 100377 754b29 100194->100377 100199 7908bb 100202 754a2f 84 API calls 100199->100202 100200 7549ed LoadLibraryExW 100387 754ade 100200->100387 100204 7908c2 100202->100204 100205 754ade 3 API calls 100204->100205 100207 7908ca 100205->100207 100413 754ab2 100207->100413 100426 754b77 100377->100426 100380 754b77 2 API calls 100383 754b50 100380->100383 100381 754b60 FreeLibrary 100382 7549d4 100381->100382 100384 76547b 100382->100384 100383->100381 100383->100382 100430 765490 100384->100430 100386 7549e1 100386->100199 100386->100200 100511 754baa 100387->100511 100390 754b15 FreeLibrary 100391 754a05 100390->100391 100394 7548b0 100391->100394 100392 754baa 2 API calls 100393 754b03 100392->100393 100393->100390 100393->100391 100395 760fe6 Mailbox 59 API calls 100394->100395 100396 7548c5 100395->100396 100414 754ac4 100413->100414 100415 790945 100413->100415 100627 765802 100414->100627 100427 754b44 100426->100427 100428 754b80 LoadLibraryA 100426->100428 100427->100380 100427->100383 100428->100427 100429 754b91 GetProcAddress 100428->100429 100429->100427 100431 76549c __setmode 100430->100431 100432 7654af 100431->100432 100435 7654e0 100431->100435 100479 768d58 58 API calls __getptd_noexit 100432->100479 100434 7654b4 100480 768fe6 9 API calls __swprintf 100434->100480 100449 770718 100435->100449 100438 7654e5 100439 7654ee 100438->100439 100440 7654fb 100438->100440 100481 768d58 58 API calls __getptd_noexit 100439->100481 100441 765525 100440->100441 100442 765505 100440->100442 100464 770837 100441->100464 100482 768d58 58 API calls __getptd_noexit 100442->100482 100446 7654bf @_EH4_CallFilterFunc@8 __setmode 100446->100386 100450 770724 __setmode 100449->100450 100451 769e3b __lock 58 API calls 100450->100451 100452 770732 100451->100452 100453 7707ad 100452->100453 100459 769ec3 __mtinitlocknum 58 API calls 100452->100459 100462 7707a6 100452->100462 100487 766e7d 59 API calls __lock 100452->100487 100488 766ee7 LeaveCriticalSection LeaveCriticalSection _doexit 100452->100488 100489 768a4d 58 API calls 2 library calls 100453->100489 100456 7707b4 100456->100462 100490 76a05b InitializeCriticalSectionAndSpinCount 100456->100490 100457 770823 __setmode 100457->100438 100459->100452 100461 7707da EnterCriticalSection 100461->100462 100484 77082e 100462->100484 100465 770857 __wopenfile 100464->100465 100479->100434 100480->100446 100481->100446 100482->100446 100491 769fa5 LeaveCriticalSection 100484->100491 100486 770835 100486->100457 100487->100452 100488->100452 100489->100456 100490->100461 100491->100486 100512 754af7 100511->100512 100513 754bb3 LoadLibraryA 100511->100513 100512->100392 100512->100393 100513->100512 100514 754bc4 GetProcAddress 100513->100514 100514->100512 100630 76581d 100627->100630 100941 763465 __setmode 100940->100941 100942 769e3b __lock 51 API calls 100941->100942 100943 76346c 100942->100943 100945 76349a DecodePointer 100943->100945 100949 763525 _doexit 100943->100949 100946 7634b1 DecodePointer 100945->100946 100945->100949 100953 7634c1 100946->100953 100947 763582 __setmode 100947->99874 100960 763573 100949->100960 100951 7634ce EncodePointer 100951->100953 100952 76356a 100954 7632cf __mtinitlocknum 3 API calls 100952->100954 100953->100949 100953->100951 100955 7634de DecodePointer EncodePointer 100953->100955 100956 763573 100954->100956 100958 7634f0 DecodePointer DecodePointer 100955->100958 100957 763580 100956->100957 100965 769fa5 LeaveCriticalSection 100956->100965 100957->99874 100958->100953 100961 763553 100960->100961 100962 763579 100960->100962 100961->100947 100964 769fa5 LeaveCriticalSection 100961->100964 100966 769fa5 LeaveCriticalSection 100962->100966 100964->100952 100965->100957 100966->100961 100967 754d83 100968 754dba 100967->100968 100969 754e37 100968->100969 100970 754dd8 100968->100970 101007 754e35 100968->101007 100972 754e3d 100969->100972 100973 7909c2 100969->100973 100974 754de5 100970->100974 100975 754ead PostQuitMessage 100970->100975 100971 754e1a DefWindowProcW 101009 754e28 100971->101009 100977 754e65 SetTimer RegisterWindowMessageW 100972->100977 100978 754e42 100972->100978 100976 74c460 10 API calls 100973->100976 100979 754df0 100974->100979 100980 790a35 100974->100980 100975->101009 100982 7909e9 100976->100982 100985 754e8e CreatePopupMenu 100977->100985 100977->101009 100983 790965 100978->100983 100984 754e49 KillTimer 100978->100984 100986 754eb7 100979->100986 100987 754df8 100979->100987 101022 7a2cce 97 API calls _memset 100980->101022 100991 74c483 290 API calls 100982->100991 100993 79096a 100983->100993 100994 79099e MoveWindow 100983->100994 100995 755ac3 Shell_NotifyIconW 100984->100995 100985->101009 101012 755b29 100986->101012 100988 790a1a 100987->100988 100989 754e03 100987->100989 100988->100971 101021 798854 59 API calls Mailbox 100988->101021 100996 754e9b 100989->100996 101005 754e0e 100989->101005 100990 790a47 100990->100971 100990->101009 100991->101005 100997 79098d SetFocus 100993->100997 100998 79096e 100993->100998 100994->101009 100999 754e5c 100995->100999 101020 755bd7 107 API calls _memset 100996->101020 100997->101009 101001 790977 100998->101001 100998->101005 101019 7434e4 DeleteObject DestroyWindow Mailbox 100999->101019 101006 74c460 10 API calls 101001->101006 101004 754eab 101004->101009 101005->100971 101008 755ac3 Shell_NotifyIconW 101005->101008 101006->101009 101007->100971 101010 790a0e 101008->101010 101011 7559d3 94 API calls 101010->101011 101011->101007 101013 755b40 _memset 101012->101013 101014 755bc2 101012->101014 101015 7556f8 87 API calls 101013->101015 101014->101009 101018 755b67 101015->101018 101016 755bab KillTimer SetTimer 101016->101014 101017 790d6e Shell_NotifyIconW 101017->101016 101018->101016 101018->101017 101019->101009 101020->101004 101021->101007 101022->100990 101023 749a6c 101026 74829c 101023->101026 101025 749a78 101027 7482b4 101026->101027 101028 748308 101026->101028 101027->101028 101029 7453b0 290 API calls 101027->101029 101032 748331 101028->101032 101035 7aa48d 89 API calls 4 library calls 101028->101035 101033 7482eb 101029->101033 101031 780ed8 101031->101031 101032->101025 101033->101032 101034 74523c 59 API calls 101033->101034 101034->101028 101035->101031 101036 7438ce 101037 7438d8 101036->101037 101038 7438f9 101036->101038 101039 743b31 59 API calls 101037->101039 101044 77d352 101038->101044 101045 796d17 59 API calls 101038->101045 101041 7438e8 101039->101041 101042 743b31 59 API calls 101041->101042 101043 7438f8 101042->101043 101045->101038 101046 77b7ad 101049 74ad98 101046->101049 101050 74add7 mciSendStringW 101049->101050 101051 782f63 DestroyWindow 101049->101051 101052 74afc0 101050->101052 101053 74adf3 101050->101053 101062 782f6f 101051->101062 101052->101053 101055 74afcf UnregisterHotKey 101052->101055 101054 74ae01 101053->101054 101053->101062 101083 74c71f 101054->101083 101055->101052 101057 782fb4 101063 782fc7 FreeLibrary 101057->101063 101064 782fd8 101057->101064 101059 782f8d FindClose 101059->101062 101060 74ae16 101060->101064 101071 74ae24 101060->101071 101061 7542cf CloseHandle 101061->101062 101062->101057 101062->101059 101062->101061 101063->101057 101065 782fec VirtualFree 101064->101065 101072 74ae91 101064->101072 101065->101064 101066 74ae80 CoUninitialize 101066->101072 101067 74ae9c 101069 74aeac Mailbox 101067->101069 101068 783033 101073 783042 101068->101073 101089 7aa240 CloseHandle 101068->101089 101087 75fef1 61 API calls Mailbox 101069->101087 101071->101066 101072->101067 101072->101068 101079 783056 101073->101079 101090 79d5cb 59 API calls Mailbox 101073->101090 101075 74aec2 Mailbox 101088 76052f 59 API calls Mailbox 101075->101088 101079->101079 101085 74c72e Mailbox 101083->101085 101084 74ae08 101084->101057 101084->101060 101085->101084 101091 79e0aa 59 API calls 101085->101091 101087->101075 101089->101068 101090->101073 101091->101085 101092 749a88 101095 7486e0 101092->101095 101096 7486fd 101095->101096 101097 780ff8 101096->101097 101098 780fad 101096->101098 101123 748724 101096->101123 101130 7baad0 290 API calls __cinit 101097->101130 101101 780fb5 101098->101101 101105 780fc2 101098->101105 101098->101123 101099 745278 59 API calls 101099->101123 101128 7bb0e4 290 API calls 101101->101128 101102 762f70 __cinit 67 API calls 101102->101123 101119 74898d 101105->101119 101129 7bb58c 290 API calls 3 library calls 101105->101129 101106 781289 101106->101106 101108 7811af 101132 7bae3b 89 API calls 101108->101132 101109 743f42 68 API calls 101109->101123 101112 748a17 101113 7439be 68 API calls 101113->101123 101116 74523c 59 API calls 101116->101123 101118 743c30 68 API calls 101118->101123 101119->101112 101133 7aa48d 89 API calls 4 library calls 101119->101133 101120 7453b0 290 API calls 101120->101123 101121 751c9c 59 API calls 101121->101123 101123->101099 101123->101102 101123->101108 101123->101109 101123->101112 101123->101113 101123->101116 101123->101118 101123->101119 101123->101120 101123->101121 101124 743938 68 API calls 101123->101124 101125 74855e 290 API calls 101123->101125 101126 7484e2 89 API calls 101123->101126 101127 74835f 290 API calls 101123->101127 101131 7973ab 59 API calls 101123->101131 101124->101123 101125->101123 101126->101123 101127->101123 101128->101105 101129->101119 101130->101123 101131->101123 101132->101119 101133->101106 101134 74ac2a 101135 74ac2f 101134->101135 101136 751207 59 API calls 101135->101136 101137 74ac39 101136->101137 101155 760588 101137->101155 101141 74ac6b 101142 751207 59 API calls 101141->101142 101143 74ac75 101142->101143 101183 75fe2b 101143->101183 101145 74acbc 101146 74accc GetStdHandle 101145->101146 101147 782f39 101146->101147 101148 74ad18 101146->101148 101147->101148 101150 782f42 101147->101150 101149 74ad20 OleInitialize 101148->101149 101190 7a70f3 64 API calls Mailbox 101150->101190 101152 782f49 101191 7a77c2 CreateThread 101152->101191 101154 782f55 CloseHandle 101154->101149 101156 751207 59 API calls 101155->101156 101157 760598 101156->101157 101158 751207 59 API calls 101157->101158 101159 7605a0 101158->101159 101192 7510c3 101159->101192 101162 7510c3 59 API calls 101163 7605b0 101162->101163 101164 751207 59 API calls 101163->101164 101165 7605bb 101164->101165 101166 760fe6 Mailbox 59 API calls 101165->101166 101167 74ac43 101166->101167 101168 75ff4c 101167->101168 101169 75ff5a 101168->101169 101170 751207 59 API calls 101169->101170 101171 75ff65 101170->101171 101172 751207 59 API calls 101171->101172 101173 75ff70 101172->101173 101174 751207 59 API calls 101173->101174 101175 75ff7b 101174->101175 101176 751207 59 API calls 101175->101176 101177 75ff86 101176->101177 101178 7510c3 59 API calls 101177->101178 101179 75ff91 101178->101179 101180 760fe6 Mailbox 59 API calls 101179->101180 101181 75ff98 RegisterWindowMessageW 101180->101181 101181->101141 101184 79620c 101183->101184 101185 75fe3b 101183->101185 101195 7aa12a 59 API calls 101184->101195 101186 760fe6 Mailbox 59 API calls 101185->101186 101189 75fe43 101186->101189 101188 796217 101189->101145 101190->101152 101191->101154 101193 751207 59 API calls 101192->101193 101194 7510cb 101193->101194 101194->101162 101195->101188

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 00755240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0075526C
                                                                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 0075527E
                                                                                                                                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 007552E6
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                                • Part of subcall function 0074BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0074BC07
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00755366
                                                                                                                                                                              • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00790B2E
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00790B66
                                                                                                                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007F6D10), ref: 00790BE9
                                                                                                                                                                              • ShellExecuteW.SHELL32(00000000), ref: 00790BF0
                                                                                                                                                                                • Part of subcall function 0075514C: GetSysColorBrush.USER32(0000000F), ref: 00755156
                                                                                                                                                                                • Part of subcall function 0075514C: LoadCursorW.USER32(00000000,00007F00), ref: 00755165
                                                                                                                                                                                • Part of subcall function 0075514C: LoadIconW.USER32(00000063), ref: 0075517C
                                                                                                                                                                                • Part of subcall function 0075514C: LoadIconW.USER32(000000A4), ref: 0075518E
                                                                                                                                                                                • Part of subcall function 0075514C: LoadIconW.USER32(000000A2), ref: 007551A0
                                                                                                                                                                                • Part of subcall function 0075514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007551C6
                                                                                                                                                                                • Part of subcall function 0075514C: RegisterClassExW.USER32(?), ref: 0075521C
                                                                                                                                                                                • Part of subcall function 007550DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00755109
                                                                                                                                                                                • Part of subcall function 007550DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0075512A
                                                                                                                                                                                • Part of subcall function 007550DB: ShowWindow.USER32(00000000), ref: 0075513E
                                                                                                                                                                                • Part of subcall function 007550DB: ShowWindow.USER32(00000000), ref: 00755147
                                                                                                                                                                                • Part of subcall function 007559D3: _memset.LIBCMT ref: 007559F9
                                                                                                                                                                                • Part of subcall function 007559D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00755A9E
                                                                                                                                                                              Strings
                                                                                                                                                                              • runas, xrefs: 00790BE4
                                                                                                                                                                              • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00790B28
                                                                                                                                                                              • AutoIt, xrefs: 00790B23
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                                                                              • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                                                                                                              • API String ID: 529118366-2030392706
                                                                                                                                                                              • Opcode ID: 3e4b745ca1c84b64a0678d5c425f6932a420dd868ecaeca3e52981828a15f77c
                                                                                                                                                                              • Instruction ID: 399f80d888df2a5cd649704952b998810daea3d1f4a85ac7e0a4bb790422a2b3
                                                                                                                                                                              • Opcode Fuzzy Hash: 3e4b745ca1c84b64a0678d5c425f6932a420dd868ecaeca3e52981828a15f77c
                                                                                                                                                                              • Instruction Fuzzy Hash: 1B510571D05248EECF11ABB4DC19EFD7B78BB05342F104069F956A22A2DAFC6948C760
                                                                                                                                                                              Function 007A3CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1155 7a3ce2-7a3d48 call 751207 * 4 call 760284 * 2 call 7a4f82 call 7a4fec 1172 7a3d4a-7a3d4e call 751900 1155->1172 1173 7a3d53-7a3d5d call 7a4fec 1155->1173 1172->1173 1177 7a3d68-7a3da6 call 751207 * 2 call 760119 FindFirstFileW 1173->1177 1178 7a3d5f-7a3d63 call 751900 1173->1178 1186 7a3dac 1177->1186 1187 7a3eb4-7a3ebb FindClose 1177->1187 1178->1177 1188 7a3db2-7a3db4 1186->1188 1189 7a3ebe-7a3ef6 call 751cb6 * 6 1187->1189 1188->1187 1191 7a3dba-7a3dc1 1188->1191 1193 7a3e88-7a3e9b FindNextFileW 1191->1193 1194 7a3dc7-7a3e1f call 751a36 call 7a4561 call 751cb6 call 751c9c call 7517e0 call 751900 call 7a412a 1191->1194 1193->1188 1197 7a3ea1-7a3ea6 1193->1197 1220 7a3e40-7a3e44 1194->1220 1221 7a3e21-7a3e24 1194->1221 1197->1188 1224 7a3e72-7a3e78 call 7a3ef7 1220->1224 1225 7a3e46-7a3e49 1220->1225 1222 7a3e2a-7a3e3c call 75151f 1221->1222 1223 7a3eab-7a3eb2 FindClose 1221->1223 1230 7a3e4e-7a3e57 MoveFileW 1222->1230 1236 7a3e3e DeleteFileW 1222->1236 1223->1189 1232 7a3e7d 1224->1232 1226 7a3e4b 1225->1226 1227 7a3e59-7a3e69 call 7a3ef7 1225->1227 1226->1230 1227->1223 1237 7a3e6b-7a3e70 DeleteFileW 1227->1237 1234 7a3e80-7a3e82 1230->1234 1232->1234 1234->1223 1238 7a3e84 1234->1238 1236->1220 1237->1234 1238->1193
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00760284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00752A58,?,00008000), ref: 007602A4
                                                                                                                                                                                • Part of subcall function 007A4FEC: GetFileAttributesW.KERNEL32(?,007A3BFE), ref: 007A4FED
                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007A3D96
                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007A3E3E
                                                                                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 007A3E51
                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007A3E6E
                                                                                                                                                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 007A3E90
                                                                                                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 007A3EAC
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                                                                              • String ID: \*.*
                                                                                                                                                                              • API String ID: 4002782344-1173974218
                                                                                                                                                                              • Opcode ID: 448d3ebaf25c20ac871274b1cc15fbb79fcae9e368c653a61487a463e7380319
                                                                                                                                                                              • Instruction ID: 779292761a9198400296f4f3c582a621911506c0b2bb7099e12e814135bc6ab4
                                                                                                                                                                              • Opcode Fuzzy Hash: 448d3ebaf25c20ac871274b1cc15fbb79fcae9e368c653a61487a463e7380319
                                                                                                                                                                              • Instruction Fuzzy Hash: 9451723190114DEACF15EFA0C95AAEDB779AF51302FA04265F842B3191EB796F0DCB60
                                                                                                                                                                              Function 00755D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1289 755d13-755d73 call 751207 GetVersionExW call 751821 1294 755d79 1289->1294 1295 755e78-755e7a 1289->1295 1296 755d7c-755d81 1294->1296 1297 790fa9-790fb5 1295->1297 1299 755d87 1296->1299 1300 755e7f-755e80 1296->1300 1298 790fb6-790fba 1297->1298 1301 790fbd-790fc9 1298->1301 1302 790fbc 1298->1302 1303 755d88-755dbf call 751981 call 75133d 1299->1303 1300->1303 1301->1298 1304 790fcb-790fd0 1301->1304 1302->1301 1312 755dc5-755dc6 1303->1312 1313 791098-79109b 1303->1313 1304->1296 1306 790fd6-790fdd 1304->1306 1306->1297 1308 790fdf 1306->1308 1311 790fe4-790fea 1308->1311 1314 755e00-755e17 GetCurrentProcess IsWow64Process 1311->1314 1315 790fef-790ffa 1312->1315 1316 755dcc-755dcf 1312->1316 1317 79109d 1313->1317 1318 7910b4-7910b8 1313->1318 1319 755e1c-755e2d 1314->1319 1320 755e19 1314->1320 1323 790ffc-791002 1315->1323 1324 791017-791019 1315->1324 1316->1314 1325 755dd1-755def 1316->1325 1326 7910a0 1317->1326 1321 7910ba-7910c3 1318->1321 1322 7910a3-7910ac 1318->1322 1328 755e2f-755e3f call 7555f0 1319->1328 1329 755e98-755ea2 GetSystemInfo 1319->1329 1320->1319 1321->1326 1327 7910c5-7910c8 1321->1327 1322->1318 1330 79100c-791012 1323->1330 1331 791004-791007 1323->1331 1333 79101b-791027 1324->1333 1334 79103c-79103f 1324->1334 1325->1314 1332 755df1-755df7 1325->1332 1326->1322 1327->1322 1346 755e41-755e4e call 7555f0 1328->1346 1347 755e8c-755e96 GetSystemInfo 1328->1347 1337 755e65-755e75 1329->1337 1330->1314 1331->1314 1332->1311 1341 755dfd 1332->1341 1335 791029-79102c 1333->1335 1336 791031-791037 1333->1336 1339 791041-791050 1334->1339 1340 791065-791068 1334->1340 1335->1314 1336->1314 1343 79105a-791060 1339->1343 1344 791052-791055 1339->1344 1340->1314 1345 79106e-791083 1340->1345 1341->1314 1343->1314 1344->1314 1348 79108d-791093 1345->1348 1349 791085-791088 1345->1349 1354 755e85-755e8a 1346->1354 1355 755e50-755e54 GetNativeSystemInfo 1346->1355 1350 755e56-755e5a 1347->1350 1348->1314 1349->1314 1350->1337 1353 755e5c-755e5f FreeLibrary 1350->1353 1353->1337 1354->1355 1355->1350
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetVersionExW.KERNEL32(?), ref: 00755D40
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,007D0A18,00000000,00000000,?), ref: 00755E07
                                                                                                                                                                              • IsWow64Process.KERNEL32(00000000), ref: 00755E0E
                                                                                                                                                                              • GetNativeSystemInfo.KERNEL32(00000000), ref: 00755E54
                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00755E5F
                                                                                                                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00755E90
                                                                                                                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00755E9C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1986165174-0
                                                                                                                                                                              • Opcode ID: ad2be627d95ef4d58a21f60e88ff8c086468585d4a83cdf01fb509af8a99ba05
                                                                                                                                                                              • Instruction ID: 879b83f5e6dc9e12ba6fac0864ae2af3aef992ed9e4eaa78db5e90530e3b9595
                                                                                                                                                                              • Opcode Fuzzy Hash: ad2be627d95ef4d58a21f60e88ff8c086468585d4a83cdf01fb509af8a99ba05
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E91F53154ABC0DECB31CB6894611EABFE16F25301F884A9ED4C787A01D279B64CC7A9
                                                                                                                                                                              Function 007A4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1356 7a4005-7a404c call 751207 * 3 call 760284 call 7a4fec 1367 7a404e-7a4057 call 751900 1356->1367 1368 7a405c-7a408d call 760119 FindFirstFileW 1356->1368 1367->1368 1372 7a408f-7a4091 1368->1372 1373 7a40fc-7a4103 FindClose 1368->1373 1372->1373 1375 7a4093-7a4098 1372->1375 1374 7a4107-7a4129 call 751cb6 * 3 1373->1374 1377 7a409a-7a40d5 call 751c9c call 7517e0 call 751900 DeleteFileW 1375->1377 1378 7a40d7-7a40e9 FindNextFileW 1375->1378 1377->1378 1391 7a40f3-7a40fa FindClose 1377->1391 1378->1372 1381 7a40eb-7a40f1 1378->1381 1381->1372 1391->1374
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00760284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00752A58,?,00008000), ref: 007602A4
                                                                                                                                                                                • Part of subcall function 007A4FEC: GetFileAttributesW.KERNEL32(?,007A3BFE), ref: 007A4FED
                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007A407C
                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 007A40CC
                                                                                                                                                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 007A40DD
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007A40F4
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007A40FD
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                                                              • String ID: \*.*
                                                                                                                                                                              • API String ID: 2649000838-1173974218
                                                                                                                                                                              • Opcode ID: 67faae0797364ddfb8457ab2d2ae9277c564508d5d2f76fea7a305f5beb915bf
                                                                                                                                                                              • Instruction ID: 925eb40269bd399a278ff9d5abe33236e4d9f86eca8fb892ea382c5f476441ee
                                                                                                                                                                              • Opcode Fuzzy Hash: 67faae0797364ddfb8457ab2d2ae9277c564508d5d2f76fea7a305f5beb915bf
                                                                                                                                                                              • Instruction Fuzzy Hash: 7731A431009345DBC300EB60C8999EFB7E8BED2306F844A1DF9D182191EB69A90DD7A7
                                                                                                                                                                              Function 007A4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 007A416D
                                                                                                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 007A417B
                                                                                                                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 007A419B
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 007A4245
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 420147892-0
                                                                                                                                                                              • Opcode ID: bcf9cfe22d5bef62aac17d71ccb4d931a5d92cf2e213be44ca283f0e0b7e9506
                                                                                                                                                                              • Instruction ID: 6e269b8cb264589301a58b743f3f432d567a0756fb742f7a2ff72ab617de5b10
                                                                                                                                                                              • Opcode Fuzzy Hash: bcf9cfe22d5bef62aac17d71ccb4d931a5d92cf2e213be44ca283f0e0b7e9506
                                                                                                                                                                              • Instruction Fuzzy Hash: F6318F71108345DBD300EF50D889BAFBBF8BFD5351F40062DF985821A1EBBA9949CB92
                                                                                                                                                                              Function 0074B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00753740: CharUpperBuffW.USER32(?,008071DC,00000001,?,00000000,008071DC,?,007453A5,?,?,?,?), ref: 0075375D
                                                                                                                                                                              • _memmove.LIBCMT ref: 0074B68A
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharUpper_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2819905725-0
                                                                                                                                                                              • Opcode ID: aff617526015b1f003ecd732ccf940bfb858f6507fa5a24e2e6d6ef9eebc34b2
                                                                                                                                                                              • Instruction ID: 89664e79000e2935b3b84b014d70adf89c4cfe0e8a4b455ad8a91ed4841dfe27
                                                                                                                                                                              • Opcode Fuzzy Hash: aff617526015b1f003ecd732ccf940bfb858f6507fa5a24e2e6d6ef9eebc34b2
                                                                                                                                                                              • Instruction Fuzzy Hash: 9CA25570608741DFD720DF28C484B2AB7E1FF89704F14896DE89A8B262D779ED45CB92
                                                                                                                                                                              Function 007A494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFileAttributesW.KERNEL32(?,0078FC86), ref: 007A495A
                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007A496B
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007A497B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileFind$AttributesCloseFirst
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 48322524-0
                                                                                                                                                                              • Opcode ID: 0def84389a9dbfcf3aa39f05c5088870e5317f9120f38890a0f0ff9ea720af17
                                                                                                                                                                              • Instruction ID: d5348e1a68b5554d1e56181841f7303a5e5271909a04920491c3412bf3bed7cb
                                                                                                                                                                              • Opcode Fuzzy Hash: 0def84389a9dbfcf3aa39f05c5088870e5317f9120f38890a0f0ff9ea720af17
                                                                                                                                                                              • Instruction Fuzzy Hash: 9BE0D8324115059B52106B38EC0D4EF7B6CAE87335F104706F535C10D0E7B9A95446D9
                                                                                                                                                                              Function 007494E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 3034c20af1671d51093400cafe59064028f1e436cfccc0889b7f71e9a6a81c89
                                                                                                                                                                              • Instruction ID: f83c75e6edf3c2223281d7790c46b56f63bffbf699f0246afb2f5a92236e077b
                                                                                                                                                                              • Opcode Fuzzy Hash: 3034c20af1671d51093400cafe59064028f1e436cfccc0889b7f71e9a6a81c89
                                                                                                                                                                              • Instruction Fuzzy Hash: 6F22AE74D00215DFDB24DF58C484AAFB7B4FF49310F248169EA56AB351E338AD81CB91
                                                                                                                                                                              Function 0074BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • timeGetTime.WINMM ref: 0074BF57
                                                                                                                                                                                • Part of subcall function 007452B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007452E6
                                                                                                                                                                              • Sleep.KERNEL32(0000000A,?,?), ref: 007836B5
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessagePeekSleepTimetime
                                                                                                                                                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                                                                                                                                              • API String ID: 1792118007-922114024
                                                                                                                                                                              • Opcode ID: 1e0c999a5fcdd179eccc96e43fcbcdf6336c91152565026d474e165985f8144f
                                                                                                                                                                              • Instruction ID: c0469b81301dd41d410e1c499ed33a8906c6f64bee16ff44fa46bf140e4fe1df
                                                                                                                                                                              • Opcode Fuzzy Hash: 1e0c999a5fcdd179eccc96e43fcbcdf6336c91152565026d474e165985f8144f
                                                                                                                                                                              • Instruction Fuzzy Hash: A0C2B170608341DFD728DF28C858BAAB7E4BF84704F14891DF58A972A1DB79ED44CB92
                                                                                                                                                                              Function 007433E8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00743444
                                                                                                                                                                              • RegisterClassExW.USER32(00000030), ref: 0074346E
                                                                                                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0074347F
                                                                                                                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 0074349C
                                                                                                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007434AC
                                                                                                                                                                              • LoadIconW.USER32(000000A9), ref: 007434C2
                                                                                                                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007434D1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                              • API String ID: 2914291525-1005189915
                                                                                                                                                                              • Opcode ID: 7e48893201f4c8355600550eefead75b8a3d0cc78063e269884e1a6632705d8b
                                                                                                                                                                              • Instruction ID: 2b32df93e48431ad8a7c7e9596b1282cbb7ec70cc91107ee3b5183a26c54fa89
                                                                                                                                                                              • Opcode Fuzzy Hash: 7e48893201f4c8355600550eefead75b8a3d0cc78063e269884e1a6632705d8b
                                                                                                                                                                              • Instruction Fuzzy Hash: F4312AB1D41349AFDB909FA4DC88BDDBBF0FB08320F10812AE555A62A0D7B95581CF95
                                                                                                                                                                              Function 00743411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00743444
                                                                                                                                                                              • RegisterClassExW.USER32(00000030), ref: 0074346E
                                                                                                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0074347F
                                                                                                                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 0074349C
                                                                                                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007434AC
                                                                                                                                                                              • LoadIconW.USER32(000000A9), ref: 007434C2
                                                                                                                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007434D1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                              • API String ID: 2914291525-1005189915
                                                                                                                                                                              • Opcode ID: 6a616c71f505a338c78c8289fe56ab14a4fc158ed1d5f9ab867cb6d1c626875b
                                                                                                                                                                              • Instruction ID: 776741786cdf32e402db509243c73fd9abd74bba074864d39a705c40ccec0686
                                                                                                                                                                              • Opcode Fuzzy Hash: 6a616c71f505a338c78c8289fe56ab14a4fc158ed1d5f9ab867cb6d1c626875b
                                                                                                                                                                              • Instruction Fuzzy Hash: E921E5B1D05308AFDB409FA4EC88B9DBBF4FB08710F00912AF611A62A0D7B56540CFA9
                                                                                                                                                                              Function 00752FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007600CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00753094), ref: 007600ED
                                                                                                                                                                                • Part of subcall function 007608C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0075309F), ref: 007608E3
                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007530E2
                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007901BA
                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007901FB
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00790239
                                                                                                                                                                              • _wcscat.LIBCMT ref: 00790292
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                              • API String ID: 2673923337-2727554177
                                                                                                                                                                              • Opcode ID: 77e2c138e6afd21717ee7f5893e00d59946c899d0993942debe5ec4c674e2087
                                                                                                                                                                              • Instruction ID: 311616307148ae1f0a9d18da9e074adc08ed8da2b904648ca215081961c89100
                                                                                                                                                                              • Opcode Fuzzy Hash: 77e2c138e6afd21717ee7f5893e00d59946c899d0993942debe5ec4c674e2087
                                                                                                                                                                              • Instruction Fuzzy Hash: A9717D71505701DEC740EF65EC499ABBBE8FF44341F80052EF885872A1EF749989CB96
                                                                                                                                                                              Function 0075514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00755156
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00755165
                                                                                                                                                                              • LoadIconW.USER32(00000063), ref: 0075517C
                                                                                                                                                                              • LoadIconW.USER32(000000A4), ref: 0075518E
                                                                                                                                                                              • LoadIconW.USER32(000000A2), ref: 007551A0
                                                                                                                                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007551C6
                                                                                                                                                                              • RegisterClassExW.USER32(?), ref: 0075521C
                                                                                                                                                                                • Part of subcall function 00743411: GetSysColorBrush.USER32(0000000F), ref: 00743444
                                                                                                                                                                                • Part of subcall function 00743411: RegisterClassExW.USER32(00000030), ref: 0074346E
                                                                                                                                                                                • Part of subcall function 00743411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0074347F
                                                                                                                                                                                • Part of subcall function 00743411: InitCommonControlsEx.COMCTL32(?), ref: 0074349C
                                                                                                                                                                                • Part of subcall function 00743411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007434AC
                                                                                                                                                                                • Part of subcall function 00743411: LoadIconW.USER32(000000A9), ref: 007434C2
                                                                                                                                                                                • Part of subcall function 00743411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007434D1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                              • String ID: #$0$AutoIt v3
                                                                                                                                                                              • API String ID: 423443420-4155596026
                                                                                                                                                                              • Opcode ID: 37bd54f9cadfc84d37347f8117b49fda2ecb9e318c4d842453c7b832681540b9
                                                                                                                                                                              • Instruction ID: 60444d8424687c1e2235c12ab24aac19427b1e6d765b0a1fc814d23e88a57952
                                                                                                                                                                              • Opcode Fuzzy Hash: 37bd54f9cadfc84d37347f8117b49fda2ecb9e318c4d842453c7b832681540b9
                                                                                                                                                                              • Instruction Fuzzy Hash: C5214870E05308EFEF509FA4ED09B9D7BB5FB08311F00411AF505AA2A0D7BA6550CF94
                                                                                                                                                                              Function 007B5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 926 7b5e1d-7b5e54 call 744dc0 929 7b5e56-7b5e63 call 74502b 926->929 930 7b5e74-7b5e86 WSAStartup 926->930 929->930 937 7b5e65-7b5e70 call 74502b 929->937 932 7b5e88-7b5e98 call 797135 930->932 933 7b5e9d-7b5edb call 7540cd call 744d37 call 75402a inet_addr gethostbyname 930->933 941 7b5ff6-7b5ffe 932->941 947 7b5edd-7b5eea IcmpCreateFile 933->947 948 7b5eec-7b5efc call 797135 933->948 937->930 947->948 949 7b5f01-7b5f32 call 760fe6 call 75433f 947->949 953 7b5fed-7b5ff1 call 751cb6 948->953 958 7b5f55-7b5f69 IcmpSendEcho 949->958 959 7b5f34-7b5f53 IcmpSendEcho 949->959 953->941 960 7b5f6d-7b5f6f 958->960 959->960 961 7b5fa2-7b5fa4 960->961 962 7b5f71-7b5f76 960->962 963 7b5fa6-7b5fb2 call 797135 961->963 964 7b5fba-7b5fcc call 744dc0 962->964 965 7b5f78-7b5f7d 962->965 975 7b5fd4-7b5fe8 IcmpCloseHandle WSACleanup call 7545ae 963->975 976 7b5fce-7b5fd0 964->976 977 7b5fd2 964->977 966 7b5f7f-7b5f84 965->966 967 7b5fb4-7b5fb8 965->967 966->961 970 7b5f86-7b5f8b 966->970 967->963 973 7b5f9a-7b5fa0 970->973 974 7b5f8d-7b5f92 970->974 973->963 974->967 979 7b5f94-7b5f98 974->979 975->953 976->975 977->975 979->963
                                                                                                                                                                              APIs
                                                                                                                                                                              • WSAStartup.WS2_32(00000101,?), ref: 007B5E7E
                                                                                                                                                                              • inet_addr.WSOCK32(?,?,?), ref: 007B5EC3
                                                                                                                                                                              • gethostbyname.WS2_32(?), ref: 007B5ECF
                                                                                                                                                                              • IcmpCreateFile.IPHLPAPI ref: 007B5EDD
                                                                                                                                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007B5F4D
                                                                                                                                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007B5F63
                                                                                                                                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007B5FD8
                                                                                                                                                                              • WSACleanup.WSOCK32 ref: 007B5FDE
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                                              • String ID: Ping
                                                                                                                                                                              • API String ID: 1028309954-2246546115
                                                                                                                                                                              • Opcode ID: 77687b640c829bba6a057fdf266b0608480e4bd7d471a745f62e106a140e6338
                                                                                                                                                                              • Instruction ID: 38879581ee8e29548614cd9fc1206221d4e2b06afe4754add3c8ff87626f084e
                                                                                                                                                                              • Opcode Fuzzy Hash: 77687b640c829bba6a057fdf266b0608480e4bd7d471a745f62e106a140e6338
                                                                                                                                                                              • Instruction Fuzzy Hash: 8D516D31604601DFDB20EF24DC49BAAB7E4EF48720F148529F955DB2A1DB78E900DB42
                                                                                                                                                                              Function 00754D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 980 754d83-754dd1 982 754e31-754e33 980->982 983 754dd3-754dd6 980->983 982->983 984 754e35 982->984 985 754e37 983->985 986 754dd8-754ddf 983->986 987 754e1a-754e22 DefWindowProcW 984->987 988 754e3d-754e40 985->988 989 7909c2-7909f0 call 74c460 call 74c483 985->989 990 754de5-754dea 986->990 991 754ead-754eb5 PostQuitMessage 986->991 993 754e28-754e2e 987->993 995 754e65-754e8c SetTimer RegisterWindowMessageW 988->995 996 754e42-754e43 988->996 1024 7909f5-7909fc 989->1024 997 754df0-754df2 990->997 998 790a35-790a49 call 7a2cce 990->998 994 754e61-754e63 991->994 994->993 995->994 1003 754e8e-754e99 CreatePopupMenu 995->1003 1001 790965-790968 996->1001 1002 754e49-754e5c KillTimer call 755ac3 call 7434e4 996->1002 1004 754eb7-754ec1 call 755b29 997->1004 1005 754df8-754dfd 997->1005 998->994 1016 790a4f 998->1016 1011 79096a-79096c 1001->1011 1012 79099e-7909bd MoveWindow 1001->1012 1002->994 1003->994 1018 754ec6 1004->1018 1006 790a1a-790a21 1005->1006 1007 754e03-754e08 1005->1007 1006->987 1022 790a27-790a30 call 798854 1006->1022 1014 754e0e-754e14 1007->1014 1015 754e9b-754eab call 755bd7 1007->1015 1019 79098d-790999 SetFocus 1011->1019 1020 79096e-790971 1011->1020 1012->994 1014->987 1014->1024 1015->994 1016->987 1018->994 1019->994 1020->1014 1025 790977-790988 call 74c460 1020->1025 1022->987 1024->987 1029 790a02-790a15 call 755ac3 call 7559d3 1024->1029 1025->994 1029->987
                                                                                                                                                                              APIs
                                                                                                                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 00754E22
                                                                                                                                                                              • KillTimer.USER32(?,00000001), ref: 00754E4C
                                                                                                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00754E6F
                                                                                                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00754E7A
                                                                                                                                                                              • CreatePopupMenu.USER32 ref: 00754E8E
                                                                                                                                                                              • PostQuitMessage.USER32(00000000), ref: 00754EAF
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                              • String ID: TaskbarCreated
                                                                                                                                                                              • API String ID: 129472671-2362178303
                                                                                                                                                                              • Opcode ID: 270a4696422fa91bae4a25753310724413909196d9e7e7a028be5ea76c86f3f4
                                                                                                                                                                              • Instruction ID: aa31739e6b672247c4c46014b9e9a26cfe26ec514738d3f33432c0e607c79ddd
                                                                                                                                                                              • Opcode Fuzzy Hash: 270a4696422fa91bae4a25753310724413909196d9e7e7a028be5ea76c86f3f4
                                                                                                                                                                              • Instruction Fuzzy Hash: 85412531609245EBEF915F68AC0FBFA3665F740316F044125FD02D52E1CAECAC9897A5
                                                                                                                                                                              Function 0074AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1037 74ad98-74add1 1038 74add7-74aded mciSendStringW 1037->1038 1039 782f63-782f64 DestroyWindow 1037->1039 1040 74afc0-74afcd 1038->1040 1041 74adf3-74adfb 1038->1041 1043 782f6f-782f7c 1039->1043 1044 74aff2-74aff9 1040->1044 1045 74afcf-74afea UnregisterHotKey 1040->1045 1042 74ae01-74ae10 call 74c71f 1041->1042 1041->1043 1056 782fb9-782fc5 1042->1056 1057 74ae16-74ae1e 1042->1057 1048 782fab-782fb2 1043->1048 1049 782f7e-782f81 1043->1049 1044->1041 1046 74afff 1044->1046 1045->1044 1050 74afec-74afed call 760dd1 1045->1050 1046->1040 1048->1043 1052 782fb4 1048->1052 1054 782f8d-782f90 FindClose 1049->1054 1055 782f83-782f8b call 7542cf 1049->1055 1050->1044 1052->1056 1059 782f96-782fa3 1054->1059 1055->1059 1061 782fcf-782fd6 1056->1061 1062 782fc7-782fc9 FreeLibrary 1056->1062 1063 74ae24-74ae49 call 744dc0 1057->1063 1064 782fdd-782fea 1057->1064 1059->1048 1060 782fa5-782fa6 call 7aa20c 1059->1060 1060->1048 1061->1056 1067 782fd8 1061->1067 1062->1061 1074 74ae80-74ae8b CoUninitialize 1063->1074 1075 74ae4b 1063->1075 1069 782fec-783009 VirtualFree 1064->1069 1070 783011-783018 1064->1070 1067->1064 1069->1070 1072 78300b-78300c call 7aa266 1069->1072 1070->1064 1073 78301a 1070->1073 1072->1070 1077 78301f-783022 1073->1077 1074->1077 1078 74ae91-74ae96 1074->1078 1079 74ae4e-74ae7e call 75fd60 call 75fdf5 1075->1079 1077->1078 1080 783028-78302e 1077->1080 1081 74ae9c-74aea6 1078->1081 1082 783033-783040 call 7aa240 1078->1082 1079->1074 1080->1078 1084 74b001-74b00e call 760abc 1081->1084 1085 74aeac-74af22 call 751cb6 call 75fef1 call 754c0a call 76052f call 751cb6 call 744dc0 call 760989 call 760b4f * 3 1081->1085 1096 783042 1082->1096 1084->1085 1097 74b014 1084->1097 1100 783047-783054 call 79d5cb 1085->1100 1130 74af28-74af3b call 7413ae 1085->1130 1096->1100 1097->1084 1106 783056 1100->1106 1109 78305b-783068 call 7603e3 1106->1109 1115 78306a 1109->1115 1118 78306f-78307c call 797236 1115->1118 1124 78307e 1118->1124 1127 783083-783090 call 7aa224 1124->1127 1133 783092 1127->1133 1130->1109 1135 74af41-74af49 1130->1135 1136 783097-7830a4 call 7aa224 1133->1136 1135->1118 1137 74af4f-74af6d call 751cb6 call 753868 1135->1137 1142 7830a6 1136->1142 1137->1127 1145 74af73-74af81 1137->1145 1142->1142 1145->1136 1146 74af87-74afbf call 751cb6 * 3 call 760351 1145->1146
                                                                                                                                                                              APIs
                                                                                                                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0074ADE1
                                                                                                                                                                              • CoUninitialize.COMBASE ref: 0074AE80
                                                                                                                                                                              • UnregisterHotKey.USER32(?), ref: 0074AFD7
                                                                                                                                                                              • DestroyWindow.USER32(?), ref: 00782F64
                                                                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 00782FC9
                                                                                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00782FF6
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                                              • String ID: close all
                                                                                                                                                                              • API String ID: 469580280-3243417748
                                                                                                                                                                              • Opcode ID: 4f83a9744c0aba0b3f1149c18f56c11ea165aca65d1d9aa3ff8c30e171102b62
                                                                                                                                                                              • Instruction ID: c93f5704e5e6ebf399d5c8ce596488821e08dc400edd623e49477a4ef4e624be
                                                                                                                                                                              • Opcode Fuzzy Hash: 4f83a9744c0aba0b3f1149c18f56c11ea165aca65d1d9aa3ff8c30e171102b62
                                                                                                                                                                              • Instruction Fuzzy Hash: 7DA16D70742212DFCB29EF14C499B69F365BF04701F5042ADE90AAB252DB39ED16CF91
                                                                                                                                                                              Function 007556F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00790C5B
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                              • _memset.LIBCMT ref: 00755787
                                                                                                                                                                              • _wcscpy.LIBCMT ref: 007557DB
                                                                                                                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007557EB
                                                                                                                                                                              • __swprintf.LIBCMT ref: 00790CD1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                                                                                                                              • String ID: Line %d: $2#2#$AutoIt -
                                                                                                                                                                              • API String ID: 230667853-2022516920
                                                                                                                                                                              • Opcode ID: bbb5a8eaa8b6fab3992ed893e331dd3d59b7137018893cc73426422fb33676ae
                                                                                                                                                                              • Instruction ID: 9f11b088bdfaa485a10830dcecfc695893c231b81c3490dfd23558cb77c0eea5
                                                                                                                                                                              • Opcode Fuzzy Hash: bbb5a8eaa8b6fab3992ed893e331dd3d59b7137018893cc73426422fb33676ae
                                                                                                                                                                              • Instruction Fuzzy Hash: 2A41D671408304EAD321EB60DC49BDF77ECAF45352F400A1EF985921A1EBB8A64DC7A6
                                                                                                                                                                              Function 007550DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1392 7550db-75514b CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00755109
                                                                                                                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0075512A
                                                                                                                                                                              • ShowWindow.USER32(00000000), ref: 0075513E
                                                                                                                                                                              • ShowWindow.USER32(00000000), ref: 00755147
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$CreateShow
                                                                                                                                                                              • String ID: AutoIt v3$edit
                                                                                                                                                                              • API String ID: 1584632944-3779509399
                                                                                                                                                                              • Opcode ID: da433b520b9e6ac74fba40a0d73f763e814dacac554d59ad472ee70e2bf7b80a
                                                                                                                                                                              • Instruction ID: 1bcac8b92f05495451d6bb12f02524edba199de792e1a6d68a79f84f21406e3d
                                                                                                                                                                              • Opcode Fuzzy Hash: da433b520b9e6ac74fba40a0d73f763e814dacac554d59ad472ee70e2bf7b80a
                                                                                                                                                                              • Instruction Fuzzy Hash: 87F03A70A452907EFA7117236C4CF272E7DE7C6F20F00401AB900A62B0C6652840CAB0
                                                                                                                                                                              Function 007A9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1393 7a9b16-7a9b9b call 754a8c call 7a9cf1 1398 7a9b9d 1393->1398 1399 7a9ba5-7a9c31 call 754ab2 * 4 call 754a8c call 76593c * 2 call 754ab2 1393->1399 1400 7a9b9f-7a9ba0 1398->1400 1417 7a9c36-7a9c5c call 7a96c4 call 7a8f0e 1399->1417 1402 7a9ce8-7a9cee 1400->1402 1422 7a9c5e-7a9c6e call 762f85 * 2 1417->1422 1423 7a9c73-7a9c77 1417->1423 1422->1400 1424 7a9cd8-7a9cde call 762f85 1423->1424 1425 7a9c79-7a9cd6 call 7a90c1 call 762f85 1423->1425 1435 7a9ce0-7a9ce6 1424->1435 1425->1435 1435->1402
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00754A8C: _fseek.LIBCMT ref: 00754AA4
                                                                                                                                                                                • Part of subcall function 007A9CF1: _wcscmp.LIBCMT ref: 007A9DE1
                                                                                                                                                                                • Part of subcall function 007A9CF1: _wcscmp.LIBCMT ref: 007A9DF4
                                                                                                                                                                              • _free.LIBCMT ref: 007A9C5F
                                                                                                                                                                              • _free.LIBCMT ref: 007A9C66
                                                                                                                                                                              • _free.LIBCMT ref: 007A9CD1
                                                                                                                                                                                • Part of subcall function 00762F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00769C54,00000000,00768D5D,007659C3), ref: 00762F99
                                                                                                                                                                                • Part of subcall function 00762F85: GetLastError.KERNEL32(00000000,?,00769C54,00000000,00768D5D,007659C3), ref: 00762FAB
                                                                                                                                                                              • _free.LIBCMT ref: 007A9CD9
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                                                                              • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                                                                              • API String ID: 1552873950-2806939583
                                                                                                                                                                              • Opcode ID: f5538ae4973e842a3f381e374052794b9fd18ff8198279df727bcc9ca4743f92
                                                                                                                                                                              • Instruction ID: 464334f032d9434e982559a1d52571a57cb5f8d23f5de103e75885ecb8e98ada
                                                                                                                                                                              • Opcode Fuzzy Hash: f5538ae4973e842a3f381e374052794b9fd18ff8198279df727bcc9ca4743f92
                                                                                                                                                                              • Instruction Fuzzy Hash: AB515DB1904219EFDF24DF64DC85AAEBBB9FF48304F00419EB609A3241DB755E948F58
                                                                                                                                                                              Function 0076563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1559183368-0
                                                                                                                                                                              • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                                                                                                              • Instruction ID: 9a164eed39378922d78979dfb74c1d4e5d33ac630356c24d2dbcda2ee53291e8
                                                                                                                                                                              • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                                                                                                              • Instruction Fuzzy Hash: 1351C030A00B05DBDB248FA9C88466EB7B5AF40720F248729FC3B962D0D7789D50EB51
                                                                                                                                                                              Function 007452B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007452E6
                                                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0074534A
                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 00745356
                                                                                                                                                                              • DispatchMessageW.USER32(?), ref: 00745360
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Message$Peek$DispatchTranslate
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1795658109-0
                                                                                                                                                                              • Opcode ID: e0812ce7c6fc1bb2d31750d0245bedc80f98f7b4e8c8f387817e25b2f8425e9e
                                                                                                                                                                              • Instruction ID: 1e6ea6e2526f795b4c03b62bf55b0b516604fffbd9e565133be2c9be86e64134
                                                                                                                                                                              • Opcode Fuzzy Hash: e0812ce7c6fc1bb2d31750d0245bedc80f98f7b4e8c8f387817e25b2f8425e9e
                                                                                                                                                                              • Instruction Fuzzy Hash: 5731F430908705DBEB708F649C44BAA77B8BF01788F24806AE426961D2D7BDA885D711
                                                                                                                                                                              Function 007A57FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A581B
                                                                                                                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007A5829
                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A5831
                                                                                                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007A583B
                                                                                                                                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A5877
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2833360925-0
                                                                                                                                                                              • Opcode ID: 2bee64b5abd30c5118280f72ee69f3aa86bc446cf0bd6f5ad6c9f2694181603d
                                                                                                                                                                              • Instruction ID: 705e7c3b7477d2b5182ee8dc55ad8fb87d89fd60922458b863b8ee86086b8460
                                                                                                                                                                              • Opcode Fuzzy Hash: 2bee64b5abd30c5118280f72ee69f3aa86bc446cf0bd6f5ad6c9f2694181603d
                                                                                                                                                                              • Instruction Fuzzy Hash: D2012931D02A2DEBDF009FE5D849AEDBBB8FB4A711F008656E541B2140DB3D9990CBA5
                                                                                                                                                                              Function 00741284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00741275,SwapMouseButtons,00000004,?), ref: 007412A8
                                                                                                                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00741275,SwapMouseButtons,00000004,?), ref: 007412C9
                                                                                                                                                                              • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00741275,SwapMouseButtons,00000004,?), ref: 007412EB
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                                                                                              • String ID: Control Panel\Mouse
                                                                                                                                                                              • API String ID: 3677997916-824357125
                                                                                                                                                                              • Opcode ID: 5eba66ae8d96d29a383e4787da50f477c3a6b95403a42bb0fa1d8edf020ab04b
                                                                                                                                                                              • Instruction ID: 0fa4dd0966333b10d60619cb08202d15782ec57615e2cdde9a58717606b83174
                                                                                                                                                                              • Opcode Fuzzy Hash: 5eba66ae8d96d29a383e4787da50f477c3a6b95403a42bb0fa1d8edf020ab04b
                                                                                                                                                                              • Instruction Fuzzy Hash: 5B112775611208FFDB209FA4DC84EAEBBB8EF05741F50856AF805D7210E7759E80ABA4
                                                                                                                                                                              Function 00760FE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0076593C: __FF_MSGBANNER.LIBCMT ref: 00765953
                                                                                                                                                                                • Part of subcall function 0076593C: __NMSG_WRITE.LIBCMT ref: 0076595A
                                                                                                                                                                                • Part of subcall function 0076593C: RtlAllocateHeap.NTDLL(01990000,00000000,00000001,?,00000004,?,?,00761003,?), ref: 0076597F
                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 0076101C
                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 00761031
                                                                                                                                                                                • Part of subcall function 007687CB: RaiseException.KERNEL32(?,?,?,007FCAF8,?,?,?,?,?,00761036,?,007FCAF8,?,00000001), ref: 00768820
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                                                              • String ID: `=}$h=}
                                                                                                                                                                              • API String ID: 3902256705-2192852056
                                                                                                                                                                              • Opcode ID: 0323489680dfd3943f22ca74627cf0d018e0ecba5171c83cffc8f1452012b526
                                                                                                                                                                              • Instruction ID: 048edf485c919bc9fd1deeefa798d6ce8ad1ce0b47ed003b9ec7813fd0c4619f
                                                                                                                                                                              • Opcode Fuzzy Hash: 0323489680dfd3943f22ca74627cf0d018e0ecba5171c83cffc8f1452012b526
                                                                                                                                                                              • Instruction Fuzzy Hash: D5F04C3460421DF6CB20BB98DD1D9DF77AC9F01310F100466FC1692281DFB89B80C6E2
                                                                                                                                                                              Function 00755B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 00755B58
                                                                                                                                                                                • Part of subcall function 007556F8: _memset.LIBCMT ref: 00755787
                                                                                                                                                                                • Part of subcall function 007556F8: _wcscpy.LIBCMT ref: 007557DB
                                                                                                                                                                                • Part of subcall function 007556F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007557EB
                                                                                                                                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00755BAD
                                                                                                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00755BBC
                                                                                                                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00790D7C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1378193009-0
                                                                                                                                                                              • Opcode ID: c68ed2257e350e66e0bdfb337a01de0b4d5d3e8e0cc89a8d40e4e2d2d605cc64
                                                                                                                                                                              • Instruction ID: 3c50f6c3c381b7a9c38f395311a492de2582e4709b37212dae62189df92a35f6
                                                                                                                                                                              • Opcode Fuzzy Hash: c68ed2257e350e66e0bdfb337a01de0b4d5d3e8e0cc89a8d40e4e2d2d605cc64
                                                                                                                                                                              • Instruction Fuzzy Hash: B321FF70505B849FEB728764D899FE6BBFCAF01305F04049DE69A56141C7782988CB91
                                                                                                                                                                              Function 0075278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007549C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,007527AF,?,00000001), ref: 007549F4
                                                                                                                                                                              • _free.LIBCMT ref: 0078FB04
                                                                                                                                                                              • _free.LIBCMT ref: 0078FB4B
                                                                                                                                                                                • Part of subcall function 007529BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00752ADF
                                                                                                                                                                              Strings
                                                                                                                                                                              • Bad directive syntax error, xrefs: 0078FB33
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                                                                              • String ID: Bad directive syntax error
                                                                                                                                                                              • API String ID: 2861923089-2118420937
                                                                                                                                                                              • Opcode ID: 2758748a18f6054a7a6b7e160012cf585b0548afd5a1e6238a7f89e23bbdaf3e
                                                                                                                                                                              • Instruction ID: 59082c4fdd291b6d709cca4b665f5824b4890532f944a9fb01d27d0ec2b3adee
                                                                                                                                                                              • Opcode Fuzzy Hash: 2758748a18f6054a7a6b7e160012cf585b0548afd5a1e6238a7f89e23bbdaf3e
                                                                                                                                                                              • Instruction Fuzzy Hash: D9918071940219EFCF08EFA4CC559EEB7B4FF09310F14452AF816AB2A1DB78A945CB50
                                                                                                                                                                              Function 007548B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove
                                                                                                                                                                              • String ID: AU3! ?}$EA06
                                                                                                                                                                              • API String ID: 4104443479-645541865
                                                                                                                                                                              • Opcode ID: cab218e8dc256c80f6e661f731b79c070897dc0152de6009610972bdd7b93794
                                                                                                                                                                              • Instruction ID: 4d9eff65afec7c18e1cc242ef4eaaa0eec29984658d1586847fac82b883ecda1
                                                                                                                                                                              • Opcode Fuzzy Hash: cab218e8dc256c80f6e661f731b79c070897dc0152de6009610972bdd7b93794
                                                                                                                                                                              • Instruction Fuzzy Hash: 35419D62A04198ABDF219B548856BFF7BA19B45305F184074EC82E7286D7ADADC883E1
                                                                                                                                                                              Function 007A9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00754AB2: __fread_nolock.LIBCMT ref: 00754AD0
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007A9DE1
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007A9DF4
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _wcscmp$__fread_nolock
                                                                                                                                                                              • String ID: FILE
                                                                                                                                                                              • API String ID: 4029003684-3121273764
                                                                                                                                                                              • Opcode ID: 0e33d6c02c0a79970b8863f4aa5f0c61bc973bd3366b73ecbb00fa79c74026c1
                                                                                                                                                                              • Instruction ID: 53e53f593d98baf1051787d7d166f74207d2f9202d15e7325a86253ad144542c
                                                                                                                                                                              • Opcode Fuzzy Hash: 0e33d6c02c0a79970b8863f4aa5f0c61bc973bd3366b73ecbb00fa79c74026c1
                                                                                                                                                                              • Instruction Fuzzy Hash: 2641F872A40209FADF20DBA4CC49FEF77BDDF86714F00446AFA00A7281D679AD448764
                                                                                                                                                                              Function 007531BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 0079032B
                                                                                                                                                                              • GetOpenFileNameW.COMDLG32(?), ref: 00790375
                                                                                                                                                                                • Part of subcall function 00760284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00752A58,?,00008000), ref: 007602A4
                                                                                                                                                                                • Part of subcall function 007609C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 007609E4
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                                                                              • String ID: X
                                                                                                                                                                              • API String ID: 3777226403-3081909835
                                                                                                                                                                              • Opcode ID: 83c1f26cc7e011177bd82b9586fe543014b27b2cb54d59a74e9fc75af8c24bca
                                                                                                                                                                              • Instruction ID: 838e6663029a43dfdb9456a6e3e36980bb20de470701f129e10fc4758582f566
                                                                                                                                                                              • Opcode Fuzzy Hash: 83c1f26cc7e011177bd82b9586fe543014b27b2cb54d59a74e9fc75af8c24bca
                                                                                                                                                                              • Instruction Fuzzy Hash: 2021C671A0428C9BDF41DF94D809BEE7BF8AF49301F00405AE909A7241DBF8598DDF91
                                                                                                                                                                              Function 007BD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: a8ca4caea1c6f0f7cccb3efd0fe29bf7c3e3173e95d476bad08698bca6d962a7
                                                                                                                                                                              • Instruction ID: 9a1b2588799dd9b18b8a30650d4e0abee96a3da63433a647e43375f878b9fa28
                                                                                                                                                                              • Opcode Fuzzy Hash: a8ca4caea1c6f0f7cccb3efd0fe29bf7c3e3173e95d476bad08698bca6d962a7
                                                                                                                                                                              • Instruction Fuzzy Hash: 24F11770608341DFC724DF28C484A6ABBE5BF88314F14892EF8999B251E775ED45CF92
                                                                                                                                                                              Function 00751680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4104443479-0
                                                                                                                                                                              • Opcode ID: 861db827404322b6d810c3d2c3cbd943a7e9a17c952146e4b6540856fed16a93
                                                                                                                                                                              • Instruction ID: 42aa9be548fcb506dd3ff9fe0d4ecc32ee665529be8ae149a277c241b5613b3b
                                                                                                                                                                              • Opcode Fuzzy Hash: 861db827404322b6d810c3d2c3cbd943a7e9a17c952146e4b6540856fed16a93
                                                                                                                                                                              • Instruction Fuzzy Hash: 8B61DC71600209EBDF048F29D8807AA7BB4FF44312F98C5A9EC19CF295EB79D964CB50
                                                                                                                                                                              Function 0074AC2A Relevance: 4.6, APIs: 3, Instructions: 90comCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0075FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,007C4186,00000001,007D0980), ref: 0075FFA7
                                                                                                                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0074AD08
                                                                                                                                                                              • OleInitialize.OLE32(00000000), ref: 0074AD85
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00782F56
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3815369404-0
                                                                                                                                                                              • Opcode ID: f8d03d5a6195a715f73ff32796165d3edf1dabdef3ea657a48b3c39a5d7ca1c6
                                                                                                                                                                              • Instruction ID: 65fca29c8c2b7fe003b9c246088a4f9975773a0f7804a5fdfbddf94f9fc32180
                                                                                                                                                                              • Opcode Fuzzy Hash: f8d03d5a6195a715f73ff32796165d3edf1dabdef3ea657a48b3c39a5d7ca1c6
                                                                                                                                                                              • Instruction Fuzzy Hash: 794135B0E0D680CED3D9EF69AC496997FE4FB59310700826AD519C33B2EB742405CFA9
                                                                                                                                                                              Function 007559D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007559F9
                                                                                                                                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00755A9E
                                                                                                                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00755ABB
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: IconNotifyShell_$_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1505330794-0
                                                                                                                                                                              • Opcode ID: 5775150e21bc02aa50224c974508e204add769fec531aacc3a994718cb4f60e3
                                                                                                                                                                              • Instruction ID: afdc396b0fa1ec5a216b1bdd20b1747dd4f612492c3ced51264d99a0d40c8a94
                                                                                                                                                                              • Opcode Fuzzy Hash: 5775150e21bc02aa50224c974508e204add769fec531aacc3a994718cb4f60e3
                                                                                                                                                                              • Instruction Fuzzy Hash: 21318FB0905701CFD760DF74D8946D7BBF8FB49305F004A2EF99A82250E7B9A948CB92
                                                                                                                                                                              Function 0076593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __FF_MSGBANNER.LIBCMT ref: 00765953
                                                                                                                                                                                • Part of subcall function 0076A39B: __NMSG_WRITE.LIBCMT ref: 0076A3C2
                                                                                                                                                                                • Part of subcall function 0076A39B: __NMSG_WRITE.LIBCMT ref: 0076A3CC
                                                                                                                                                                              • __NMSG_WRITE.LIBCMT ref: 0076595A
                                                                                                                                                                                • Part of subcall function 0076A3F8: GetModuleFileNameW.KERNEL32(00000000,008053BA,00000104,00000004,00000001,00761003), ref: 0076A48A
                                                                                                                                                                                • Part of subcall function 0076A3F8: ___crtMessageBoxW.LIBCMT ref: 0076A538
                                                                                                                                                                                • Part of subcall function 007632CF: ___crtCorExitProcess.LIBCMT ref: 007632D5
                                                                                                                                                                                • Part of subcall function 007632CF: ExitProcess.KERNEL32 ref: 007632DE
                                                                                                                                                                                • Part of subcall function 00768D58: __getptd_noexit.LIBCMT ref: 00768D58
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(01990000,00000000,00000001,?,00000004,?,?,00761003,?), ref: 0076597F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1372826849-0
                                                                                                                                                                              • Opcode ID: be5934ea5de4456f66ac91257b59bad892d045ff7f93d66276da7d75e0f629a3
                                                                                                                                                                              • Instruction ID: d4728eef56d254b3f00798157b774316398741f3522a397ffa22f579318df810
                                                                                                                                                                              • Opcode Fuzzy Hash: be5934ea5de4456f66ac91257b59bad892d045ff7f93d66276da7d75e0f629a3
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E01DE31341B02EAEA512B35A806A2F33589F42770F100226FD17AB292DE7CAD009A72
                                                                                                                                                                              Function 007A92C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _free.LIBCMT ref: 007A92D6
                                                                                                                                                                                • Part of subcall function 00762F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00769C54,00000000,00768D5D,007659C3), ref: 00762F99
                                                                                                                                                                                • Part of subcall function 00762F85: GetLastError.KERNEL32(00000000,?,00769C54,00000000,00768D5D,007659C3), ref: 00762FAB
                                                                                                                                                                              • _free.LIBCMT ref: 007A92E7
                                                                                                                                                                              • _free.LIBCMT ref: 007A92F9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                              • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                                                                                                              • Instruction ID: 099ed52bb825dc2efdf679ab5f49ad9d9aa6a6a544d4f6eb5c80be6e2628c490
                                                                                                                                                                              • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                                                                                                              • Instruction Fuzzy Hash: FDE0C2A2205A0293CA20A5386844FC377FC1FC8711714060DB90BE3183CE2CE8528028
                                                                                                                                                                              Function 00745E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: CALL
                                                                                                                                                                              • API String ID: 0-4196123274
                                                                                                                                                                              • Opcode ID: 39bef827b8f0072773c307f8b611f4a5c0f027fb1a6e1b7245489d1f412328e7
                                                                                                                                                                              • Instruction ID: fd4b78caa5f1f8f2dcfeb2c4805e61b038ec878628dfd20d2b48ed90ce49da63
                                                                                                                                                                              • Opcode Fuzzy Hash: 39bef827b8f0072773c307f8b611f4a5c0f027fb1a6e1b7245489d1f412328e7
                                                                                                                                                                              • Instruction Fuzzy Hash: BE325770608741DFCB24DF14C494A6AB7E1BF89344F15896DF88A9B362D739EC85CB82
                                                                                                                                                                              Function 007BE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _strcat.LIBCMT ref: 007BE20C
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                              • _wcscpy.LIBCMT ref: 007BE29B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __itow__swprintf_strcat_wcscpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1012013722-0
                                                                                                                                                                              • Opcode ID: ab878a20d4b86f5256048cd426e8901ab3a7f2fb95dab94105e885d6ec965c9f
                                                                                                                                                                              • Instruction ID: 931ae38550fef61aa46ba8032b20c9c5b0dd3f4a5aaa768d0c983f3784e1f3ee
                                                                                                                                                                              • Opcode Fuzzy Hash: ab878a20d4b86f5256048cd426e8901ab3a7f2fb95dab94105e885d6ec965c9f
                                                                                                                                                                              • Instruction Fuzzy Hash: D6911535A00604DFCB18DF28C595AADB7F5EF49310B55809AF85A8F3A6DB38ED41CB81
                                                                                                                                                                              Function 007A6135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CharLowerBuffW.USER32(?,?), ref: 007A614E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharLower
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2358735015-0
                                                                                                                                                                              • Opcode ID: aecf26859f71485664ecbcddd80404bc405ccf40daf8f49b87cbd07ab407e2ec
                                                                                                                                                                              • Instruction ID: e0a481ec9b6963cda7a93e290c56226f3c2d33e423d2029d23804b495d242fbf
                                                                                                                                                                              • Opcode Fuzzy Hash: aecf26859f71485664ecbcddd80404bc405ccf40daf8f49b87cbd07ab407e2ec
                                                                                                                                                                              • Instruction Fuzzy Hash: D641B7B6500209EFDB11DFA4C8819EE77B8FF95350B18462EE916D7281EB78DE44CB50
                                                                                                                                                                              Function 007A7D6E Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4104443479-0
                                                                                                                                                                              • Opcode ID: fff051c5351fdebea0f76ebdd73b19a0f19a6f31e57e8a58e251f94161cf2783
                                                                                                                                                                              • Instruction ID: 923fc04a3368bc7d81c879b273884e2ee919814b437a37212166697de8a39f71
                                                                                                                                                                              • Opcode Fuzzy Hash: fff051c5351fdebea0f76ebdd73b19a0f19a6f31e57e8a58e251f94161cf2783
                                                                                                                                                                              • Instruction Fuzzy Hash: E3410B7250C209EFC724EFA8CC85DBEB7A8EF9A340B244699F545D7241DB799C00DBA0
                                                                                                                                                                              Function 00760E38 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseErrorHandleMode
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3953868439-0
                                                                                                                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                              • Instruction ID: 1aaa813090fd9cb2bab9e977c97562eb30146759e6cc2d67473f6b5e81480ecd
                                                                                                                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                              • Instruction Fuzzy Hash: CE31C571A00119DFD719EF58D48496AF7A6FF59300B648AA5E80ACB251E73AEDC1CBC0
                                                                                                                                                                              Function 00755F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • IsThemeActive.UXTHEME ref: 00755FEF
                                                                                                                                                                                • Part of subcall function 0076359C: __lock.LIBCMT ref: 007635A2
                                                                                                                                                                                • Part of subcall function 0076359C: DecodePointer.KERNEL32(00000001,?,00756004,00798892), ref: 007635AE
                                                                                                                                                                                • Part of subcall function 0076359C: EncodePointer.KERNEL32(?,?,00756004,00798892), ref: 007635B9
                                                                                                                                                                                • Part of subcall function 00755F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00755F18
                                                                                                                                                                                • Part of subcall function 00755F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00755F2D
                                                                                                                                                                                • Part of subcall function 00755240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0075526C
                                                                                                                                                                                • Part of subcall function 00755240: IsDebuggerPresent.KERNEL32 ref: 0075527E
                                                                                                                                                                                • Part of subcall function 00755240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 007552E6
                                                                                                                                                                                • Part of subcall function 00755240: SetCurrentDirectoryW.KERNEL32(?), ref: 00755366
                                                                                                                                                                              • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0075602F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1438897964-0
                                                                                                                                                                              • Opcode ID: f3b8814b7e4555edf98d1a903a478483e6148913865b0c327ce42e78cbd9fe4c
                                                                                                                                                                              • Instruction ID: 98aba34d037cc648b9e61861841501739e4cee517f7144cbea164f4bcb168159
                                                                                                                                                                              • Opcode Fuzzy Hash: f3b8814b7e4555edf98d1a903a478483e6148913865b0c327ce42e78cbd9fe4c
                                                                                                                                                                              • Instruction Fuzzy Hash: 47116D71A08301DBC710DF69ED49A4ABBE8FF98710F40451EF485872B1DBB4A548CF96
                                                                                                                                                                              Function 0076581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __lock_file_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 26237723-0
                                                                                                                                                                              • Opcode ID: 6e0d2933fa3b242dd6d6167b06c52c96c10e3c065645eeabb8041a3fa8faa3a2
                                                                                                                                                                              • Instruction ID: d362c2053d3f2451ab6800b5270ce2115da8c171adc526883f131763d8630a3d
                                                                                                                                                                              • Opcode Fuzzy Hash: 6e0d2933fa3b242dd6d6167b06c52c96c10e3c065645eeabb8041a3fa8faa3a2
                                                                                                                                                                              • Instruction Fuzzy Hash: B6018471800649EBCF12AF69CC0989E7B61AF80760F144315FC2A2B1A1D7398A21EF92
                                                                                                                                                                              Function 007655C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00768D58: __getptd_noexit.LIBCMT ref: 00768D58
                                                                                                                                                                              • __lock_file.LIBCMT ref: 0076560B
                                                                                                                                                                                • Part of subcall function 00766E3E: __lock.LIBCMT ref: 00766E61
                                                                                                                                                                              • __fclose_nolock.LIBCMT ref: 00765616
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2800547568-0
                                                                                                                                                                              • Opcode ID: 54c1d89cfc24153d616db3b4dd4279896818689765da5cbee0a98b07f2162605
                                                                                                                                                                              • Instruction ID: c219d8a955e7984ba6f727a07981e3f4832f5f8f53b40c790327e4953b4dace7
                                                                                                                                                                              • Opcode Fuzzy Hash: 54c1d89cfc24153d616db3b4dd4279896818689765da5cbee0a98b07f2162605
                                                                                                                                                                              • Instruction Fuzzy Hash: 35F090B1901B05DAD7516B69C80E76E67A26F40730F158209BC2BAB1C2CB7C4901AF52
                                                                                                                                                                              Function 00765E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __lock_file.LIBCMT ref: 00765EB4
                                                                                                                                                                              • __ftell_nolock.LIBCMT ref: 00765EBF
                                                                                                                                                                                • Part of subcall function 00768D58: __getptd_noexit.LIBCMT ref: 00768D58
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2999321469-0
                                                                                                                                                                              • Opcode ID: 934dab847dd753ba4220868243b351e035e1f1dfcf898a4daec79a043b89d25a
                                                                                                                                                                              • Instruction ID: 334fdaf14fd1a1530e243ad7722cf2ceb1211f704bc97485c890989334e0be35
                                                                                                                                                                              • Opcode Fuzzy Hash: 934dab847dd753ba4220868243b351e035e1f1dfcf898a4daec79a043b89d25a
                                                                                                                                                                              • Instruction Fuzzy Hash: BDF0A771911619DADB40BB74C90A75E76906F01331F154306BC26AF1C1CF7C4E01AB56
                                                                                                                                                                              Function 00755AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 00755AEF
                                                                                                                                                                              • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00755B1F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: IconNotifyShell__memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 928536360-0
                                                                                                                                                                              • Opcode ID: 26ce6943d81ade48f4794841d88f886b67743ab65b6ed5d6eb1e7935fd923c1c
                                                                                                                                                                              • Instruction ID: 00c31ced2cad563111c40c9ef5e23e9c7ee7b7050aff3d87b9e334c92a1f57d3
                                                                                                                                                                              • Opcode Fuzzy Hash: 26ce6943d81ade48f4794841d88f886b67743ab65b6ed5d6eb1e7935fd923c1c
                                                                                                                                                                              • Instruction Fuzzy Hash: 22F0A770C093489FE7D28B64DC497D57BBCAB01308F0001EAAA4996292D7751B88CF95
                                                                                                                                                                              Function 007632CF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ___crtCorExitProcess.LIBCMT ref: 007632D5
                                                                                                                                                                                • Part of subcall function 0076329B: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,007632DA,00761003,?,00769EEE,000000FF,0000001E,007FCE28,00000008,00769E52,00761003,00761003), ref: 007632AA
                                                                                                                                                                                • Part of subcall function 0076329B: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 007632BC
                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 007632DE
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2427264223-0
                                                                                                                                                                              • Opcode ID: 60f19ad4c6374395e2bb7ff2d5aba9c6e5dc358b405987040dd1f85f1ad3b312
                                                                                                                                                                              • Instruction ID: 636f6be62c63c07b4bb7cca90f3dd35789a8ba79035623e3d3d0dbcb8bf1d710
                                                                                                                                                                              • Opcode Fuzzy Hash: 60f19ad4c6374395e2bb7ff2d5aba9c6e5dc358b405987040dd1f85f1ad3b312
                                                                                                                                                                              • Instruction Fuzzy Hash: 48B09230000208BFCB012F12DC0E8483F29FB00A90B408025F80508071DB76AE92DAC4
                                                                                                                                                                              Function 007BC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LoadString$__swprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 207118244-0
                                                                                                                                                                              • Opcode ID: 6e3e9341cd3178b5a534d505ae0fe5539a548659ba828c2173e0fd66c79a4c44
                                                                                                                                                                              • Instruction ID: 6789ef245f9c4e43915e0effdbe4ecb236048d0b5d081f31ffbe1d0b5ac4a8c3
                                                                                                                                                                              • Opcode Fuzzy Hash: 6e3e9341cd3178b5a534d505ae0fe5539a548659ba828c2173e0fd66c79a4c44
                                                                                                                                                                              • Instruction Fuzzy Hash: A7B15E34E0010ADFCB15DF94C895EEEB7B5FF48310F20811AF915AB291EB78A955CB90
                                                                                                                                                                              Function 0074A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: d8ca90573dbdc92e5c9a5cc6ec5feeb3c1a10bbad88b7a8e14aefd74e9613430
                                                                                                                                                                              • Instruction ID: 25f0f44034d7521fa7fcc2f2b64e464d63f3fbb0d51e967672fb415e1b00dc13
                                                                                                                                                                              • Opcode Fuzzy Hash: d8ca90573dbdc92e5c9a5cc6ec5feeb3c1a10bbad88b7a8e14aefd74e9613430
                                                                                                                                                                              • Instruction Fuzzy Hash: 9261DF74640606EFDB10EF54C885A7AB7E9FF48300F15812DE9168B292E778FD81CB61
                                                                                                                                                                              Function 0075343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4104443479-0
                                                                                                                                                                              • Opcode ID: 544c0db461fe5687d1b22e364178f0e94cce9633798dc6ef396c6fb350ef1d63
                                                                                                                                                                              • Instruction ID: c57a23dfdaaa1598986e19eedbffc2b5e01685711ab79e42a7b8cf3b6dcd1a80
                                                                                                                                                                              • Opcode Fuzzy Hash: 544c0db461fe5687d1b22e364178f0e94cce9633798dc6ef396c6fb350ef1d63
                                                                                                                                                                              • Instruction Fuzzy Hash: 5231C075204602EFC724DF18D094AB2F7A0FF08391714C569ED8A8B761EB74E895CB90
                                                                                                                                                                              Function 0077E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClearVariant
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1473721057-0
                                                                                                                                                                              • Opcode ID: 8bf2500edd158a04968c10319d182bde96686e1bbd481430e9269662cd87e167
                                                                                                                                                                              • Instruction ID: ad38adc525169126e518f12b190f9903fd60bbaf6692ca0c49ae603fdadd2b00
                                                                                                                                                                              • Opcode Fuzzy Hash: 8bf2500edd158a04968c10319d182bde96686e1bbd481430e9269662cd87e167
                                                                                                                                                                              • Instruction Fuzzy Hash: 08411974508351DFDB14DF14C598B1ABBE1BF45308F1989ACE88A8B362C379EC85CB92
                                                                                                                                                                              Function 007549C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00754B29: FreeLibrary.KERNEL32(00000000,?), ref: 00754B63
                                                                                                                                                                                • Part of subcall function 0076547B: __wfsopen.LIBCMT ref: 00765486
                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,007527AF,?,00000001), ref: 007549F4
                                                                                                                                                                                • Part of subcall function 00754ADE: FreeLibrary.KERNEL32(00000000), ref: 00754B18
                                                                                                                                                                                • Part of subcall function 007548B0: _memmove.LIBCMT ref: 007548FA
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1396898556-0
                                                                                                                                                                              • Opcode ID: f0df71ad9ed09e279b17991985bfff75123794c8b5eb438217a482e191e973ce
                                                                                                                                                                              • Instruction ID: 9946a40fa0dad2018e7b354315a0c5373e3c0fe3e7eeff1192eaa0f5dbc1f76d
                                                                                                                                                                              • Opcode Fuzzy Hash: f0df71ad9ed09e279b17991985bfff75123794c8b5eb438217a482e191e973ce
                                                                                                                                                                              • Instruction Fuzzy Hash: 9F11C431650205EBCF14EB60CC0AFEE77A99F40706F108429F941B6182EAB99A58A794
                                                                                                                                                                              Function 00751BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4104443479-0
                                                                                                                                                                              • Opcode ID: 2c79761423f540672bda14eb4514d80e2afe8b87cb0e6c2e844ebd02b31338ab
                                                                                                                                                                              • Instruction ID: fff844b01fe901c793c6fde323a1f45b557ff33fad8e16827fe8cdec263f91e4
                                                                                                                                                                              • Opcode Fuzzy Hash: 2c79761423f540672bda14eb4514d80e2afe8b87cb0e6c2e844ebd02b31338ab
                                                                                                                                                                              • Instruction Fuzzy Hash: 62118B76204601DFC724CF28D481A56F7F9FF48352B60C82EE88ACB261E776E841CB50
                                                                                                                                                                              Function 0077E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClearVariant
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1473721057-0
                                                                                                                                                                              • Opcode ID: b5d35cd34ac399e5dac0babd7801dd5cf93a3055339cec743722d52782156b69
                                                                                                                                                                              • Instruction ID: 874f1a7cea6267252ca03f470d60fbf24e742bd92a2325ad0a5fe8d4f8444c89
                                                                                                                                                                              • Opcode Fuzzy Hash: b5d35cd34ac399e5dac0babd7801dd5cf93a3055339cec743722d52782156b69
                                                                                                                                                                              • Instruction Fuzzy Hash: 492122B4608341DFCB14DF14C558B1ABBE1BF89304F09896CF88A57362C339E849CB92
                                                                                                                                                                              Function 00751A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4104443479-0
                                                                                                                                                                              • Opcode ID: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
                                                                                                                                                                              • Instruction ID: 39b21d043871748c57bc91876321d24e56036ca634dce9e61432113a943c6d5d
                                                                                                                                                                              • Opcode Fuzzy Hash: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
                                                                                                                                                                              • Instruction Fuzzy Hash: A9012672201701AEC7215B38CC0ABA7BB98DB447A1F50C52EFE1BCA1D1EA75E4408790
                                                                                                                                                                              Function 007B495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 007B4998
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: EnvironmentVariable
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1431749950-0
                                                                                                                                                                              • Opcode ID: 2a0ab604aa9bbdee03c6b8ba26897de7549bc3f334e129fb0a273f7f304b247d
                                                                                                                                                                              • Instruction ID: 33e8832898ec01d8620e1be69125793ea0fad2e44e5a3196bf744954a9c527d6
                                                                                                                                                                              • Opcode Fuzzy Hash: 2a0ab604aa9bbdee03c6b8ba26897de7549bc3f334e129fb0a273f7f304b247d
                                                                                                                                                                              • Instruction Fuzzy Hash: 41F03135608108FF8B14EB65D84ED9F77BCEF45320B444056F9059B261DE74BD41C7A0
                                                                                                                                                                              Function 0077DC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00760FE6: std::exception::exception.LIBCMT ref: 0076101C
                                                                                                                                                                                • Part of subcall function 00760FE6: __CxxThrowException@8.LIBCMT ref: 00761031
                                                                                                                                                                              • _memmove.LIBCMT ref: 0077DC8B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1602317333-0
                                                                                                                                                                              • Opcode ID: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
                                                                                                                                                                              • Instruction ID: 711cf1bddd21badc236fcd6c06d29509fc393643ded0687a8a1a28c9a53eb617
                                                                                                                                                                              • Opcode Fuzzy Hash: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
                                                                                                                                                                              • Instruction Fuzzy Hash: B8F01274604101EFD711DF68C545E15BBE1BF19340B24845CF68A8B352E737D811DB91
                                                                                                                                                                              Function 00754A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _fseek
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2937370855-0
                                                                                                                                                                              • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                                                                                                              • Instruction ID: dfba4430e4427de8b918ed1123da53ccf04b63fce44c1cc45e99997a4ed3bc2f
                                                                                                                                                                              • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                                                                                                              • Instruction Fuzzy Hash: 9AF085B6400208FFDF108F95EC04CEBBF79EB89324F148198FD045A210D272EA21DBA0
                                                                                                                                                                              Function 00754A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FreeLibrary.KERNEL32(?,?,?,007527AF,?,00000001), ref: 00754A63
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3664257935-0
                                                                                                                                                                              • Opcode ID: 9f107e77d85ce07625a79f83a5c41c9b8c6d45ad799c6d8c99a78711c2311ddc
                                                                                                                                                                              • Instruction ID: c5ebfd4932fe4aff2b7499954d79e4f4ef5b6a8e69ea84aeb06c288f815543b9
                                                                                                                                                                              • Opcode Fuzzy Hash: 9f107e77d85ce07625a79f83a5c41c9b8c6d45ad799c6d8c99a78711c2311ddc
                                                                                                                                                                              • Instruction Fuzzy Hash: C8F08C71541701CFCB748F24E484896BBF1AF0431A310C92EE9D783610C3799988DF44
                                                                                                                                                                              Function 00754AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __fread_nolock
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2638373210-0
                                                                                                                                                                              • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                                                                                                              • Instruction ID: 581827d16ce2438c429f2cd12d13bab69c935d6ed056c2130f67e00e1c95e51f
                                                                                                                                                                              • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                                                                                                              • Instruction Fuzzy Hash: 35F0F87240020DFFDF45CF90C945EAABB79FB14314F208589FD198B252D37AEA61AB91
                                                                                                                                                                              Function 007609C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 007609E4
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LongNamePath_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2514874351-0
                                                                                                                                                                              • Opcode ID: 308b4e1e097bac95130a9e25825e9e52c0300237ddbfd5f5bfefaed341798cba
                                                                                                                                                                              • Instruction ID: 26dee5c25b2765f8fbcb216a95995bce477f2e39f416e5253f457b16059b7d60
                                                                                                                                                                              • Opcode Fuzzy Hash: 308b4e1e097bac95130a9e25825e9e52c0300237ddbfd5f5bfefaed341798cba
                                                                                                                                                                              • Instruction Fuzzy Hash: 84E0863290012857C721969C9C09FEE77EDDB896A1F0442B7FC0CD7214D965AC8186D1
                                                                                                                                                                              Function 007A3EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,007A3E7D,?,?,?), ref: 007A3F0D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CopyFile
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1304948518-0
                                                                                                                                                                              • Opcode ID: 52ed28cceaaa36669c8b2f715d63bbbf5cc4a2d7e6e7e7542c1fbeb0f0e479b7
                                                                                                                                                                              • Instruction ID: 4195bdf5b6fa9362873853e7d98746ada0cd6df7a1146411d129f8be3eefddaa
                                                                                                                                                                              • Opcode Fuzzy Hash: 52ed28cceaaa36669c8b2f715d63bbbf5cc4a2d7e6e7e7542c1fbeb0f0e479b7
                                                                                                                                                                              • Instruction Fuzzy Hash: 8CD0A7315E120CBBEF50DFA0CC06F68B7BCE701706F1002A4B504D90E0DA76691497A5
                                                                                                                                                                              Function 007A4FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFileAttributesW.KERNEL32(?,007A3BFE), ref: 007A4FED
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AttributesFile
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                                                              • Opcode ID: 9f0c3bc6f326841af27808b9801cb6004f95bc30c7c1b538fd498c756a3ebfb2
                                                                                                                                                                              • Instruction ID: d2fdd01f714282a688febf8dea4e37f40a5e633a5041b8b5fe64b351e3fc2a74
                                                                                                                                                                              • Opcode Fuzzy Hash: 9f0c3bc6f326841af27808b9801cb6004f95bc30c7c1b538fd498c756a3ebfb2
                                                                                                                                                                              • Instruction Fuzzy Hash: 76B092360416005E9D281E3C194819D37919BC33A9BDC3B82E478854E1927F884BA520
                                                                                                                                                                              Function 0076547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __wfsopen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 197181222-0
                                                                                                                                                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                                                              • Instruction ID: 318ca154e947099543f2a566d0b96bcbbea91410e06e06c4054abfa5da9fad8c
                                                                                                                                                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                                                              • Instruction Fuzzy Hash: 38B0927644020CB7CE012A82EC03E593F299B40668F408060FF0C1C162AA77AAA0A689
                                                                                                                                                                              Function 00763588 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _doexit.LIBCMT ref: 00763592
                                                                                                                                                                                • Part of subcall function 00763459: __lock.LIBCMT ref: 00763467
                                                                                                                                                                                • Part of subcall function 00763459: DecodePointer.KERNEL32(007FCB70,0000001C,007633B2,00761003,00000001,00000000,?,00763300,000000FF,?,00769E5E,00000011,00761003,?,00769CAC,0000000D), ref: 007634A6
                                                                                                                                                                                • Part of subcall function 00763459: DecodePointer.KERNEL32(?,00763300,000000FF,?,00769E5E,00000011,00761003,?,00769CAC,0000000D), ref: 007634B7
                                                                                                                                                                                • Part of subcall function 00763459: EncodePointer.KERNEL32(00000000,?,00763300,000000FF,?,00769E5E,00000011,00761003,?,00769CAC,0000000D), ref: 007634D0
                                                                                                                                                                                • Part of subcall function 00763459: DecodePointer.KERNEL32(-00000004,?,00763300,000000FF,?,00769E5E,00000011,00761003,?,00769CAC,0000000D), ref: 007634E0
                                                                                                                                                                                • Part of subcall function 00763459: EncodePointer.KERNEL32(00000000,?,00763300,000000FF,?,00769E5E,00000011,00761003,?,00769CAC,0000000D), ref: 007634E6
                                                                                                                                                                                • Part of subcall function 00763459: DecodePointer.KERNEL32(?,00763300,000000FF,?,00769E5E,00000011,00761003,?,00769CAC,0000000D), ref: 007634FC
                                                                                                                                                                                • Part of subcall function 00763459: DecodePointer.KERNEL32(?,00763300,000000FF,?,00769E5E,00000011,00761003,?,00769CAC,0000000D), ref: 00763507
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2158581194-0
                                                                                                                                                                              • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                                                                                              • Instruction ID: 0e200c6c8a9e23632b3664aae9beda43d7af11af06e12b42e38f258d7290d325
                                                                                                                                                                              • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                                                                                              • Instruction Fuzzy Hash: 8BB0127198030C73DA112541EC03F257F0C4740B60F100021FE0C1C1E1A9D3766080C9
                                                                                                                                                                              Function 007AC270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007A4005: FindFirstFileW.KERNEL32(?,?), ref: 007A407C
                                                                                                                                                                                • Part of subcall function 007A4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 007A40CC
                                                                                                                                                                                • Part of subcall function 007A4005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 007A40DD
                                                                                                                                                                                • Part of subcall function 007A4005: FindClose.KERNEL32(00000000), ref: 007A40F4
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 007AC292
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2191629493-0
                                                                                                                                                                              • Opcode ID: fcbd9bbe5f337ff1eb19d6aa64498e89c29506e1df074ec74b538bb0f15113cb
                                                                                                                                                                              • Instruction ID: 5cd2e1d361a7cf1f020af3c338fc705591c9db119635e5a1652a1c7cca42956c
                                                                                                                                                                              • Opcode Fuzzy Hash: fcbd9bbe5f337ff1eb19d6aa64498e89c29506e1df074ec74b538bb0f15113cb
                                                                                                                                                                              • Instruction Fuzzy Hash: 52F08C323102109FCB10EF59D858B6AB7E5AF89320F058059FA498B352CB78BC01DB94

                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                              Function 007CD164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007CD208
                                                                                                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007CD249
                                                                                                                                                                              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007CD28E
                                                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007CD2B8
                                                                                                                                                                              • SendMessageW.USER32 ref: 007CD2E1
                                                                                                                                                                              • _wcsncpy.LIBCMT ref: 007CD359
                                                                                                                                                                              • GetKeyState.USER32(00000011), ref: 007CD37A
                                                                                                                                                                              • GetKeyState.USER32(00000009), ref: 007CD387
                                                                                                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007CD39D
                                                                                                                                                                              • GetKeyState.USER32(00000010), ref: 007CD3A7
                                                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007CD3D0
                                                                                                                                                                              • SendMessageW.USER32 ref: 007CD3F7
                                                                                                                                                                              • SendMessageW.USER32(?,00001030,?,007CB9BA), ref: 007CD4FD
                                                                                                                                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007CD513
                                                                                                                                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007CD526
                                                                                                                                                                              • SetCapture.USER32(?), ref: 007CD52F
                                                                                                                                                                              • ClientToScreen.USER32(?,?), ref: 007CD594
                                                                                                                                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007CD5A1
                                                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007CD5BB
                                                                                                                                                                              • ReleaseCapture.USER32 ref: 007CD5C6
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 007CD600
                                                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 007CD60D
                                                                                                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 007CD669
                                                                                                                                                                              • SendMessageW.USER32 ref: 007CD697
                                                                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 007CD6D4
                                                                                                                                                                              • SendMessageW.USER32 ref: 007CD703
                                                                                                                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007CD724
                                                                                                                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 007CD733
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 007CD753
                                                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 007CD760
                                                                                                                                                                              • GetParent.USER32(?), ref: 007CD780
                                                                                                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 007CD7E9
                                                                                                                                                                              • SendMessageW.USER32 ref: 007CD81A
                                                                                                                                                                              • ClientToScreen.USER32(?,?), ref: 007CD878
                                                                                                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007CD8A8
                                                                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 007CD8D2
                                                                                                                                                                              • SendMessageW.USER32 ref: 007CD8F5
                                                                                                                                                                              • ClientToScreen.USER32(?,?), ref: 007CD947
                                                                                                                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007CD97B
                                                                                                                                                                                • Part of subcall function 007429AB: GetWindowLongW.USER32(?,000000EB), ref: 007429BC
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 007CDA17
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                                                              • String ID: @GUI_DRAGID$F
                                                                                                                                                                              • API String ID: 3977979337-4164748364
                                                                                                                                                                              • Opcode ID: 5d54656f4c6b8db489db9ee52930f5a51e54d304e1ad9c613ea0e23d6586f299
                                                                                                                                                                              • Instruction ID: 0ba478679c042deff4dc8bcee8069e57eaaf60305e7f2b337335d6bceb50c18b
                                                                                                                                                                              • Opcode Fuzzy Hash: 5d54656f4c6b8db489db9ee52930f5a51e54d304e1ad9c613ea0e23d6586f299
                                                                                                                                                                              • Instruction Fuzzy Hash: 11427834604241EFD7259F28C848FAABBE5FF88310F18462DF695872A1C779EC55CB92
                                                                                                                                                                              Function 00798F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00799399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007993E3
                                                                                                                                                                                • Part of subcall function 00799399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00799410
                                                                                                                                                                                • Part of subcall function 00799399: GetLastError.KERNEL32 ref: 0079941D
                                                                                                                                                                              • _memset.LIBCMT ref: 00798F71
                                                                                                                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00798FC3
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00798FD4
                                                                                                                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00798FEB
                                                                                                                                                                              • GetProcessWindowStation.USER32 ref: 00799004
                                                                                                                                                                              • SetProcessWindowStation.USER32(00000000), ref: 0079900E
                                                                                                                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00799028
                                                                                                                                                                                • Part of subcall function 00798DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00798F27), ref: 00798DFE
                                                                                                                                                                                • Part of subcall function 00798DE9: CloseHandle.KERNEL32(?,?,00798F27), ref: 00798E10
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                                                                              • String ID: $default$winsta0
                                                                                                                                                                              • API String ID: 2063423040-1027155976
                                                                                                                                                                              • Opcode ID: aa6164e75e43163394bc4c2a13c5b087f6b9df85bb3304b14a17ad27279bba92
                                                                                                                                                                              • Instruction ID: 43bc8032144815d577f0d8ac21e1361f18223da8b884fed4d43b29998aa492fd
                                                                                                                                                                              • Opcode Fuzzy Hash: aa6164e75e43163394bc4c2a13c5b087f6b9df85bb3304b14a17ad27279bba92
                                                                                                                                                                              • Instruction Fuzzy Hash: C3817CB190120DFFEF119FA8ED49AEE7B79FF04304F04811AFA10A6261D73A8E159B51
                                                                                                                                                                              Function 007B4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • OpenClipboard.USER32(007D0980), ref: 007B465C
                                                                                                                                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 007B466A
                                                                                                                                                                              • GetClipboardData.USER32(0000000D), ref: 007B4672
                                                                                                                                                                              • CloseClipboard.USER32 ref: 007B467E
                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 007B469A
                                                                                                                                                                              • CloseClipboard.USER32 ref: 007B46A4
                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 007B46B9
                                                                                                                                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 007B46C6
                                                                                                                                                                              • GetClipboardData.USER32(00000001), ref: 007B46CE
                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 007B46DB
                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 007B470F
                                                                                                                                                                              • CloseClipboard.USER32 ref: 007B481F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3222323430-0
                                                                                                                                                                              • Opcode ID: 650c1e841c81c8810d5f96c7ff655d326db4e65005adc9b32600e8a4c0cf310b
                                                                                                                                                                              • Instruction ID: 13ff44bc92a485ba8c74f45b4bf2951a782dae41cbdaf985389b0bffa902143a
                                                                                                                                                                              • Opcode Fuzzy Hash: 650c1e841c81c8810d5f96c7ff655d326db4e65005adc9b32600e8a4c0cf310b
                                                                                                                                                                              • Instruction Fuzzy Hash: 5F51B471245201ABD700EF60DC89FAE77B8BF85B11F04452AF956D21E2DF78D904CBA6
                                                                                                                                                                              Function 007AF5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007AF5F9
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AF60E
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AF625
                                                                                                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 007AF637
                                                                                                                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 007AF651
                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 007AF669
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007AF674
                                                                                                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 007AF690
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AF6B7
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AF6CE
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 007AF6E0
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(007FB578), ref: 007AF6FE
                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 007AF708
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007AF715
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007AF727
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                              • String ID: *.*$Sz
                                                                                                                                                                              • API String ID: 1803514871-885807242
                                                                                                                                                                              • Opcode ID: bef1e6969eded6c0188b6b6fa9e88e3f8823ecd3e2ee9020b3297cb8190cc07d
                                                                                                                                                                              • Instruction ID: e1ff0a4acbd44e202d84d22a5d262c0a001a20b2bc2e4d2930ceafb3d96474ca
                                                                                                                                                                              • Opcode Fuzzy Hash: bef1e6969eded6c0188b6b6fa9e88e3f8823ecd3e2ee9020b3297cb8190cc07d
                                                                                                                                                                              • Instruction Fuzzy Hash: E831B67154221DAADB10DBF4DC4DAEE77BCAF4A321F104266F905E31A0DB3CDA44CA64
                                                                                                                                                                              Function 007ACD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007ACDD0
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007ACE24
                                                                                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007ACE49
                                                                                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007ACE60
                                                                                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 007ACE87
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007ACED3
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007ACF16
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007ACF6A
                                                                                                                                                                                • Part of subcall function 007638C8: __woutput_l.LIBCMT ref: 00763921
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007ACFB8
                                                                                                                                                                                • Part of subcall function 007638C8: __flsbuf.LIBCMT ref: 00763943
                                                                                                                                                                                • Part of subcall function 007638C8: __flsbuf.LIBCMT ref: 0076395B
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007AD007
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007AD056
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007AD0A5
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                                                              • API String ID: 3953360268-2428617273
                                                                                                                                                                              • Opcode ID: 3c8bf093027e78269511cae39e07c858a03b62c2fe735e457ee182eeebd82158
                                                                                                                                                                              • Instruction ID: d326f2dfc966bb107d9fd876b3126b6bb1ad16bb7c2ccc92992afd7ad88c06a8
                                                                                                                                                                              • Opcode Fuzzy Hash: 3c8bf093027e78269511cae39e07c858a03b62c2fe735e457ee182eeebd82158
                                                                                                                                                                              • Instruction Fuzzy Hash: 5DA15EB1408305EBC711EF64D989EAFB7ECBF94701F404919F58583191EB78EA08CBA2
                                                                                                                                                                              Function 007C0EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C0FB3
                                                                                                                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,007D0980,00000000,?,00000000,?,?), ref: 007C1021
                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007C1069
                                                                                                                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007C10F2
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 007C1412
                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 007C141F
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Close$ConnectCreateRegistryValue
                                                                                                                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                              • API String ID: 536824911-966354055
                                                                                                                                                                              • Opcode ID: a743d8de7b8d16d04114ad232567ad54e06567a365d89d27041d3d6d1e1b5c12
                                                                                                                                                                              • Instruction ID: de21aac2c116b91240cb79dbd2c9c6dcca2c7afff4365bc029ff11539f7ca34f
                                                                                                                                                                              • Opcode Fuzzy Hash: a743d8de7b8d16d04114ad232567ad54e06567a365d89d27041d3d6d1e1b5c12
                                                                                                                                                                              • Instruction Fuzzy Hash: 75023575600601DFCB14EF24C859F2AB7E5EF89714F04896DF98A9B262CB38ED41CB91
                                                                                                                                                                              Function 007AF735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007AF756
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AF76B
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AF782
                                                                                                                                                                                • Part of subcall function 007A4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007A4890
                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 007AF7B1
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007AF7BC
                                                                                                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 007AF7D8
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AF7FF
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AF816
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 007AF828
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(007FB578), ref: 007AF846
                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 007AF850
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007AF85D
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007AF86F
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                              • String ID: *.*$jz
                                                                                                                                                                              • API String ID: 1824444939-2566750845
                                                                                                                                                                              • Opcode ID: 214b2680cbcb416ca50465abcec87fe23b09fa2bc1afbd4cd13f24a123b2d024
                                                                                                                                                                              • Instruction ID: 29f77f81ce0967fac5b903bf1b3dd1f7a93156d2fc5a5177a1162650f863e716
                                                                                                                                                                              • Opcode Fuzzy Hash: 214b2680cbcb416ca50465abcec87fe23b09fa2bc1afbd4cd13f24a123b2d024
                                                                                                                                                                              • Instruction Fuzzy Hash: F631A77150121DAADB10ABB4DC48ADE777CAF8A321F104266E914A31A0D73CDA55CA64
                                                                                                                                                                              Function 007988CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00798E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00798E3C
                                                                                                                                                                                • Part of subcall function 00798E20: GetLastError.KERNEL32(?,00798900,?,?,?), ref: 00798E46
                                                                                                                                                                                • Part of subcall function 00798E20: GetProcessHeap.KERNEL32(00000008,?,?,00798900,?,?,?), ref: 00798E55
                                                                                                                                                                                • Part of subcall function 00798E20: HeapAlloc.KERNEL32(00000000,?,00798900,?,?,?), ref: 00798E5C
                                                                                                                                                                                • Part of subcall function 00798E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00798E73
                                                                                                                                                                                • Part of subcall function 00798EBD: GetProcessHeap.KERNEL32(00000008,00798916,00000000,00000000,?,00798916,?), ref: 00798EC9
                                                                                                                                                                                • Part of subcall function 00798EBD: HeapAlloc.KERNEL32(00000000,?,00798916,?), ref: 00798ED0
                                                                                                                                                                                • Part of subcall function 00798EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00798916,?), ref: 00798EE1
                                                                                                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00798931
                                                                                                                                                                              • _memset.LIBCMT ref: 00798946
                                                                                                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00798965
                                                                                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00798976
                                                                                                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 007989B3
                                                                                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007989CF
                                                                                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 007989EC
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007989FB
                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00798A02
                                                                                                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00798A23
                                                                                                                                                                              • CopySid.ADVAPI32(00000000), ref: 00798A2A
                                                                                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00798A5B
                                                                                                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00798A81
                                                                                                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00798A95
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3996160137-0
                                                                                                                                                                              • Opcode ID: 16d1e57bec93abd85139bed9b717058b36247fd94be8373c11a06d12107a62af
                                                                                                                                                                              • Instruction ID: 406088023b83f462b3170a00bcaa50bebcbaf09062d05e972f1cc2fda6b85402
                                                                                                                                                                              • Opcode Fuzzy Hash: 16d1e57bec93abd85139bed9b717058b36247fd94be8373c11a06d12107a62af
                                                                                                                                                                              • Instruction Fuzzy Hash: F7615C75A00109FFDF40DFA5EC49EEEBB79FF45300F04811AE915AA290DB399A05CBA5
                                                                                                                                                                              Function 007C0A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007C147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C040D,?,?), ref: 007C1491
                                                                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C0B0C
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007C0BAB
                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007C0C43
                                                                                                                                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007C0E82
                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 007C0E8F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1240663315-0
                                                                                                                                                                              • Opcode ID: 67d2dc2f24c1b35fba9d74e60dfa9677a449f1834f97efd450695d642b8f6cf3
                                                                                                                                                                              • Instruction ID: c96e5baa048185d6aa692d66e5b4e7d33be4aa6a759523e7ccec101fe1e32cbb
                                                                                                                                                                              • Opcode Fuzzy Hash: 67d2dc2f24c1b35fba9d74e60dfa9677a449f1834f97efd450695d642b8f6cf3
                                                                                                                                                                              • Instruction Fuzzy Hash: A8E13A71204210EFCB14DF28C895E6ABBE8EF89714F04896DF84ADB261DB34ED05CB91
                                                                                                                                                                              Function 007A443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007A4451
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007A445E
                                                                                                                                                                                • Part of subcall function 007638C8: __woutput_l.LIBCMT ref: 00763921
                                                                                                                                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 007A4488
                                                                                                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 007A4494
                                                                                                                                                                              • LockResource.KERNEL32(00000000), ref: 007A44A1
                                                                                                                                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 007A44C1
                                                                                                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 007A44D3
                                                                                                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 007A44E2
                                                                                                                                                                              • LockResource.KERNEL32(?), ref: 007A44EE
                                                                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007A454F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1433390588-0
                                                                                                                                                                              • Opcode ID: 8965b6b9bed4d80f89719c90d790b6d74cea01ad7e7ef70b89152626f3d2fe8f
                                                                                                                                                                              • Instruction ID: 77818fecf886456533279b1f3637611d9e45477cd879dc4b988d336493f1ecf5
                                                                                                                                                                              • Opcode Fuzzy Hash: 8965b6b9bed4d80f89719c90d790b6d74cea01ad7e7ef70b89152626f3d2fe8f
                                                                                                                                                                              • Instruction Fuzzy Hash: 1631C37190221AEBCB119FA0EC58EBF7BB8FF85300F008525F946D2150E779E960CBA4
                                                                                                                                                                              Function 007B4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1737998785-0
                                                                                                                                                                              • Opcode ID: fe5f67f5fa01a15489c930c18ab823b94701237363876c91aa4148b51d3f2a32
                                                                                                                                                                              • Instruction ID: d35c3659287fc610c87303023d2a5df0f0e0d0485f494fc01e9af746da3a9313
                                                                                                                                                                              • Opcode Fuzzy Hash: fe5f67f5fa01a15489c930c18ab823b94701237363876c91aa4148b51d3f2a32
                                                                                                                                                                              • Instruction Fuzzy Hash: 03217131602210AFDB11AF60EC4DB6E7BB8FF44711F048016F9469B2A2DB38ED11CB98
                                                                                                                                                                              Function 007AFA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007AFA83
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 007AFB96
                                                                                                                                                                                • Part of subcall function 007452B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007452E6
                                                                                                                                                                              • Sleep.KERNEL32(0000000A), ref: 007AFAB3
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AFAC7
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AFAE2
                                                                                                                                                                              • FindNextFileW.KERNEL32(?,?), ref: 007AFB80
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                                                                                                                              • String ID: *.*
                                                                                                                                                                              • API String ID: 2185952417-438819550
                                                                                                                                                                              • Opcode ID: 97a338d652516dac59bdae0b6d0d9ecdc299a8997a2ca3ff0fb79f88bbce1808
                                                                                                                                                                              • Instruction ID: 3916c1d10e0e6d107981ed35397aaef1f224f1fb0eb5df872cf1fd7383e3744f
                                                                                                                                                                              • Opcode Fuzzy Hash: 97a338d652516dac59bdae0b6d0d9ecdc299a8997a2ca3ff0fb79f88bbce1808
                                                                                                                                                                              • Instruction Fuzzy Hash: 2A4184B190110E9FCF14DFA4CC59AEE7BB4FF45311F548566E814A2291EB389E44CBA0
                                                                                                                                                                              Function 007A5778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00799399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007993E3
                                                                                                                                                                                • Part of subcall function 00799399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00799410
                                                                                                                                                                                • Part of subcall function 00799399: GetLastError.KERNEL32 ref: 0079941D
                                                                                                                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 007A57B4
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                                              • String ID: $@$SeShutdownPrivilege
                                                                                                                                                                              • API String ID: 2234035333-194228
                                                                                                                                                                              • Opcode ID: 68578003419b5a2d4cd248d824d106fea119ab25ffb60c17eaf7c7826dc200ad
                                                                                                                                                                              • Instruction ID: d27125ee9634d2faae7b920e33c8da8514072ce1591a47e0407eb0a20559b33c
                                                                                                                                                                              • Opcode Fuzzy Hash: 68578003419b5a2d4cd248d824d106fea119ab25ffb60c17eaf7c7826dc200ad
                                                                                                                                                                              • Instruction Fuzzy Hash: AF01F771751712EAE7286664EC8ABBF7358EB86750F10422AFD13F20D2DA6C5C008194
                                                                                                                                                                              Function 007B696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007B69C7
                                                                                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 007B69D6
                                                                                                                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 007B69F2
                                                                                                                                                                              • listen.WSOCK32(00000000,00000005), ref: 007B6A01
                                                                                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 007B6A1B
                                                                                                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 007B6A2F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1279440585-0
                                                                                                                                                                              • Opcode ID: fdebe7824d1b43548f5f5e96060d247905f9284e94c5688c4da16ebd9d78f668
                                                                                                                                                                              • Instruction ID: 68c70ed157a2b4f6f9e656b41cfa5f602796c933373fac6b722335f2c4e6e0ec
                                                                                                                                                                              • Opcode Fuzzy Hash: fdebe7824d1b43548f5f5e96060d247905f9284e94c5688c4da16ebd9d78f668
                                                                                                                                                                              • Instruction Fuzzy Hash: F321A074600604DFCB10EF64D889BAEB7B9EF44720F14C559FA56AB391CB78AC01DB91
                                                                                                                                                                              Function 00741663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00741DD6
                                                                                                                                                                              • GetSysColor.USER32(0000000F), ref: 00741E2A
                                                                                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 00741E3D
                                                                                                                                                                                • Part of subcall function 0074166C: DefDlgProcW.USER32(?,00000020,?), ref: 007416B4
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ColorProc$LongWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3744519093-0
                                                                                                                                                                              • Opcode ID: 7bd757e89e2061a0c4444fdd2561973e3fa67116c4c644df45d327512bf74a80
                                                                                                                                                                              • Instruction ID: 8c9ba0d40be7cef24e189588a11633066c77cab7486ffa9ad952d890e4f5dcf3
                                                                                                                                                                              • Opcode Fuzzy Hash: 7bd757e89e2061a0c4444fdd2561973e3fa67116c4c644df45d327512bf74a80
                                                                                                                                                                              • Instruction Fuzzy Hash: A6A134B4705904FAEB3CBB698C49F7B2A9DEB41341F94C11EF406C6195CB2C9D81CA76
                                                                                                                                                                              Function 007AC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007AC329
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AC359
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007AC36E
                                                                                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 007AC37F
                                                                                                                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 007AC3AF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2387731787-0
                                                                                                                                                                              • Opcode ID: c0f1a770582fb9cb20ef5cdb2db9a40ff1f8400d3cdf5f469500e2dbd9ed480b
                                                                                                                                                                              • Instruction ID: 5258d068de07301d0a39d446486b3833ad962fcd28cad7c4dd5c04835392f0c7
                                                                                                                                                                              • Opcode Fuzzy Hash: c0f1a770582fb9cb20ef5cdb2db9a40ff1f8400d3cdf5f469500e2dbd9ed480b
                                                                                                                                                                              • Instruction Fuzzy Hash: AA51AE75A04602DFD715DF68C494EAAB7E4FF8A310F10461DF9568B361DB38AD04CB91
                                                                                                                                                                              Function 007B6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007B8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007B84A0
                                                                                                                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007B6E89
                                                                                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 007B6EB2
                                                                                                                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 007B6EEB
                                                                                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 007B6EF8
                                                                                                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 007B6F0C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 99427753-0
                                                                                                                                                                              • Opcode ID: 4666449a6314f2fc969fd371b9eeeac728c1f87e564fae20885111a195c98df4
                                                                                                                                                                              • Instruction ID: 2214d416d436813dc263fe4ff6b957f3d66537770bdaf92aa380cfef5755d494
                                                                                                                                                                              • Opcode Fuzzy Hash: 4666449a6314f2fc969fd371b9eeeac728c1f87e564fae20885111a195c98df4
                                                                                                                                                                              • Instruction Fuzzy Hash: AA41D075B00200EFDB10AF64DC8AF7E77A8AB44710F048458FA16AB3D2DB789D009BE1
                                                                                                                                                                              Function 007C59B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 292994002-0
                                                                                                                                                                              • Opcode ID: 35a71170eb62dcca15176f54d8b7e92163dada741dbaf90fd0d7f835cc65ba44
                                                                                                                                                                              • Instruction ID: 939e62995a884dd13183ffd455cacd4a8556055f52ba294355d3656362e22164
                                                                                                                                                                              • Opcode Fuzzy Hash: 35a71170eb62dcca15176f54d8b7e92163dada741dbaf90fd0d7f835cc65ba44
                                                                                                                                                                              • Instruction Fuzzy Hash: E011B2327019119BEB215F269C88F2E7BA9EF84721F04812EE806D7241DB39F9418AE5
                                                                                                                                                                              Function 00780030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LocalTime__swprintf
                                                                                                                                                                              • String ID: %.3d$WIN_XPe
                                                                                                                                                                              • API String ID: 2070861257-2409531811
                                                                                                                                                                              • Opcode ID: 7a9a9bc7c4dcf3c0d578786af7b9b573af64217862aacb2986e044436074da69
                                                                                                                                                                              • Instruction ID: 05ef3cdbc2a0056dfa89387774587cae0a6938b1c9c5e39402f08d4746f0a05a
                                                                                                                                                                              • Opcode Fuzzy Hash: 7a9a9bc7c4dcf3c0d578786af7b9b573af64217862aacb2986e044436074da69
                                                                                                                                                                              • Instruction Fuzzy Hash: 5BD012B2884109EAC748AB90CC49EF9737CEB04300F104052F546E2040D33D975CDB66
                                                                                                                                                                              Function 007B29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007B1ED6,00000000), ref: 007B2AAD
                                                                                                                                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007B2AE4
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 599397726-0
                                                                                                                                                                              • Opcode ID: 24003cc88373eadd3ce806f188ebd01c36c0ad5354d6c4e81c056fa13723e7f3
                                                                                                                                                                              • Instruction ID: 80c38ddd175b75d24aa006c7b1bbb30591e6331f5bb04620b3dfa29d76b413f2
                                                                                                                                                                              • Opcode Fuzzy Hash: 24003cc88373eadd3ce806f188ebd01c36c0ad5354d6c4e81c056fa13723e7f3
                                                                                                                                                                              • Instruction Fuzzy Hash: 4841C871605209FFEB20DE54CC85FFB77BCEB40754F10805AFA05A7142EA79AE429660
                                                                                                                                                                              Function 00799399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00760FE6: std::exception::exception.LIBCMT ref: 0076101C
                                                                                                                                                                                • Part of subcall function 00760FE6: __CxxThrowException@8.LIBCMT ref: 00761031
                                                                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007993E3
                                                                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00799410
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0079941D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1922334811-0
                                                                                                                                                                              • Opcode ID: f6cf0642d9bc9c6ad8ac2da9a8c2a3d90815bfad2b17819eea4afd1cd766e771
                                                                                                                                                                              • Instruction ID: b0df9cb16c6924d645bdfe80153bb54fe85e08d73f3aaa072c08bb7edc3581c7
                                                                                                                                                                              • Opcode Fuzzy Hash: f6cf0642d9bc9c6ad8ac2da9a8c2a3d90815bfad2b17819eea4afd1cd766e771
                                                                                                                                                                              • Instruction Fuzzy Hash: 7C11BFB1414204BFEB28DF58EC89D2BB7BCEB44310B24812EF44A82250EB34AC41CB60
                                                                                                                                                                              Function 007A4254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007A4271
                                                                                                                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007A42B2
                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007A42BD
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 33631002-0
                                                                                                                                                                              • Opcode ID: 422d78ea2527b75e957122aac32678ae59c1a675df819b08e77bf046b2d2f1e6
                                                                                                                                                                              • Instruction ID: 5152ac340d9e4ae2525112c559b29662048ce547f78af222693f7eac9e56e448
                                                                                                                                                                              • Opcode Fuzzy Hash: 422d78ea2527b75e957122aac32678ae59c1a675df819b08e77bf046b2d2f1e6
                                                                                                                                                                              • Instruction Fuzzy Hash: D3113075E01228BBDB508F959C44BAFBBBCEB85B60F108256FD04E7290C6755A018BE5
                                                                                                                                                                              Function 007A4F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007A4F45
                                                                                                                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007A4F5C
                                                                                                                                                                              • FreeSid.ADVAPI32(?), ref: 007A4F6C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3429775523-0
                                                                                                                                                                              • Opcode ID: 803b71b1c8485dce90a4f789a03aaaff722776986aceb32dddaac5c1ed025d30
                                                                                                                                                                              • Instruction ID: 18fb2646760f63070d14c44e25f206d8a04121dba70fc8b3f46c8146ce995917
                                                                                                                                                                              • Opcode Fuzzy Hash: 803b71b1c8485dce90a4f789a03aaaff722776986aceb32dddaac5c1ed025d30
                                                                                                                                                                              • Instruction Fuzzy Hash: 94F04975A1130CBFDF00DFE0DC89BAEBBBCEF08201F4054A9A901E2180E7396A048B94
                                                                                                                                                                              Function 007A1AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007A1B01
                                                                                                                                                                              • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 007A1B14
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InputSendkeybd_event
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3536248340-0
                                                                                                                                                                              • Opcode ID: 9a0a5100cdcfa43c4e7d9b1befb39927bc93eadd99ad45a358af503a3a74963f
                                                                                                                                                                              • Instruction ID: e7ad86f468901212e995c3d062459582ab1418f61ab960780e3686879725920a
                                                                                                                                                                              • Opcode Fuzzy Hash: 9a0a5100cdcfa43c4e7d9b1befb39927bc93eadd99ad45a358af503a3a74963f
                                                                                                                                                                              • Instruction Fuzzy Hash: B1F0377190020DABEB00CF94D805BBE7BB4EF04315F00814AFD5596292D3799625DFA4
                                                                                                                                                                              Function 007AA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,007B9B52,?,007D098C,?), ref: 007AA6DA
                                                                                                                                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,007B9B52,?,007D098C,?), ref: 007AA6EC
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorFormatLastMessage
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3479602957-0
                                                                                                                                                                              • Opcode ID: 6dbbad007ff0316bfe31ec6964a810d414ceddfbafdc64792bcc5b6340788842
                                                                                                                                                                              • Instruction ID: 3c24646aa0f1a329b92d452087f1525d3291e7d11f3f9e473f64c222416709f9
                                                                                                                                                                              • Opcode Fuzzy Hash: 6dbbad007ff0316bfe31ec6964a810d414ceddfbafdc64792bcc5b6340788842
                                                                                                                                                                              • Instruction Fuzzy Hash: 5AF0823550522DFBDB21AFA8CC48FEA776CBF09361F008256B908D6191DA749940CFE1
                                                                                                                                                                              Function 00798DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00798F27), ref: 00798DFE
                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,00798F27), ref: 00798E10
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 81990902-0
                                                                                                                                                                              • Opcode ID: aff0df9ed437ffbd84c866684a32b7c27cdd83f8e303c6516346e66e629e852e
                                                                                                                                                                              • Instruction ID: a5250aadc323c9d2fbe3673a975f1d1d298462afddad5e310c433d2bac5e1f27
                                                                                                                                                                              • Opcode Fuzzy Hash: aff0df9ed437ffbd84c866684a32b7c27cdd83f8e303c6516346e66e629e852e
                                                                                                                                                                              • Instruction Fuzzy Hash: 25E0B676015610EFEB662B60ED1DE777BBDEB04310B14C92EF8AA80470DB66AC90DB50
                                                                                                                                                                              Function 0076A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00768F87,?,?,?,00000001), ref: 0076A38A
                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0076A393
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3192549508-0
                                                                                                                                                                              • Opcode ID: ee9b205576c26caf7cd69bf2d08de735e6bfb2a73434cd27823ab9ad192d50e5
                                                                                                                                                                              • Instruction ID: 609d9cae1b0db4e0d5cb903418c0542db063029a9f968508a253bccaced1a622
                                                                                                                                                                              • Opcode Fuzzy Hash: ee9b205576c26caf7cd69bf2d08de735e6bfb2a73434cd27823ab9ad192d50e5
                                                                                                                                                                              • Instruction Fuzzy Hash: 5AB09231065208ABCA402B95FC09B883F78EB44A62F009016F60D44060CB6654508AD9
                                                                                                                                                                              Function 007B45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • BlockInput.USER32(00000001), ref: 007B45F0
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BlockInput
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3456056419-0
                                                                                                                                                                              • Opcode ID: fb0b53ecd95e1a75a519448ef918fd9260fb9d7bd4a48d02ac88df3b07e026e5
                                                                                                                                                                              • Instruction ID: ba877183eea6e0ae6be73a78608d484a5d414577269807a358e8a4c9a9ee3a5b
                                                                                                                                                                              • Opcode Fuzzy Hash: fb0b53ecd95e1a75a519448ef918fd9260fb9d7bd4a48d02ac88df3b07e026e5
                                                                                                                                                                              • Instruction Fuzzy Hash: 62E0DF35200205AFC320AF69E804B8AF7E8AF94760F008016FC09C7312DB78EC508BE0
                                                                                                                                                                              Function 007A51E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 007A5205
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: mouse_event
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2434400541-0
                                                                                                                                                                              • Opcode ID: 7ed22cac53a887ed371e2c7be677a6940508b90f4a91492b57cc02aa65579e26
                                                                                                                                                                              • Instruction ID: 23d385e759e8296de462255bb2274789808d571e4fe8dcd7ec959ac654403c29
                                                                                                                                                                              • Opcode Fuzzy Hash: 7ed22cac53a887ed371e2c7be677a6940508b90f4a91492b57cc02aa65579e26
                                                                                                                                                                              • Instruction Fuzzy Hash: 80D09E96160E0D79ED580724EE1FF761648E3837C1F94575B7242850C1FCDD58499475
                                                                                                                                                                              Function 00799369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00798FA7), ref: 00799389
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LogonUser
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1244722697-0
                                                                                                                                                                              • Opcode ID: 2646e2f883c203c7cac7cb4044368a56f554c3419309572c674a1eb3bf55b229
                                                                                                                                                                              • Instruction ID: edfa1f3b5a8548aefacd80ec4f307a0c19d5a6422e42c8155136f75a801409fa
                                                                                                                                                                              • Opcode Fuzzy Hash: 2646e2f883c203c7cac7cb4044368a56f554c3419309572c674a1eb3bf55b229
                                                                                                                                                                              • Instruction Fuzzy Hash: 30D09E3226450EBBEF019EA4DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60
                                                                                                                                                                              Function 00780722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetUserNameW.ADVAPI32(?,?), ref: 00780734
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: NameUser
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2645101109-0
                                                                                                                                                                              • Opcode ID: 6d11c6834c5ccc4ca8ec52efb5cffcf68a2070bf8e86b0360636a391e8209923
                                                                                                                                                                              • Instruction ID: c227f30a0c1f986ac141529509da29372ab02281b59432fd47d8239b7aa5bc88
                                                                                                                                                                              • Opcode Fuzzy Hash: 6d11c6834c5ccc4ca8ec52efb5cffcf68a2070bf8e86b0360636a391e8209923
                                                                                                                                                                              • Instruction Fuzzy Hash: 9CC04CF1801109EBCB05DBA0D988EFE77BCAB04304F104056A145B2100D7789B448BB1
                                                                                                                                                                              Function 0076A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0076A35A
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3192549508-0
                                                                                                                                                                              • Opcode ID: b85782948d5c1efa559fd03c355c6a8e42800f70737900cedefb079b3131def7
                                                                                                                                                                              • Instruction ID: 171b4ed4ef1fa48dd8017e32213e5f5bea504999b2a5ddbebd5a07535a0b0bbc
                                                                                                                                                                              • Opcode Fuzzy Hash: b85782948d5c1efa559fd03c355c6a8e42800f70737900cedefb079b3131def7
                                                                                                                                                                              • Instruction Fuzzy Hash: 01A0223002020CFBCF002F8AFC08888BFBCEB002A0F00C022F80C00032CB33A8208AC8
                                                                                                                                                                              Function 007C3BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CharUpperBuffW.USER32(?,?,007D0980), ref: 007C3C65
                                                                                                                                                                              • IsWindowVisible.USER32(?), ref: 007C3C89
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharUpperVisibleWindow
                                                                                                                                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                                                                              • API String ID: 4105515805-45149045
                                                                                                                                                                              • Opcode ID: 09380c07c2e9906d818712323bccb3dc04287a56c33b10e05447bd8953f8216c
                                                                                                                                                                              • Instruction ID: e8d473616fc854aebb1843059646cd4a55e9cb767019f0b5321242ab0d1a7f59
                                                                                                                                                                              • Opcode Fuzzy Hash: 09380c07c2e9906d818712323bccb3dc04287a56c33b10e05447bd8953f8216c
                                                                                                                                                                              • Instruction Fuzzy Hash: D0D17E30204205DBCB15EF20C555F6EB7A1AF94354F1089ACF9865B3A2CB3DED4ACB92
                                                                                                                                                                              Function 007CABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 007CAC55
                                                                                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 007CAC86
                                                                                                                                                                              • GetSysColor.USER32(0000000F), ref: 007CAC92
                                                                                                                                                                              • SetBkColor.GDI32(?,000000FF), ref: 007CACAC
                                                                                                                                                                              • SelectObject.GDI32(?,?), ref: 007CACBB
                                                                                                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 007CACE6
                                                                                                                                                                              • GetSysColor.USER32(00000010), ref: 007CACEE
                                                                                                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 007CACF5
                                                                                                                                                                              • FrameRect.USER32(?,?,00000000), ref: 007CAD04
                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 007CAD0B
                                                                                                                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 007CAD56
                                                                                                                                                                              • FillRect.USER32(?,?,?), ref: 007CAD88
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 007CADB3
                                                                                                                                                                                • Part of subcall function 007CAF18: GetSysColor.USER32(00000012), ref: 007CAF51
                                                                                                                                                                                • Part of subcall function 007CAF18: SetTextColor.GDI32(?,?), ref: 007CAF55
                                                                                                                                                                                • Part of subcall function 007CAF18: GetSysColorBrush.USER32(0000000F), ref: 007CAF6B
                                                                                                                                                                                • Part of subcall function 007CAF18: GetSysColor.USER32(0000000F), ref: 007CAF76
                                                                                                                                                                                • Part of subcall function 007CAF18: GetSysColor.USER32(00000011), ref: 007CAF93
                                                                                                                                                                                • Part of subcall function 007CAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007CAFA1
                                                                                                                                                                                • Part of subcall function 007CAF18: SelectObject.GDI32(?,00000000), ref: 007CAFB2
                                                                                                                                                                                • Part of subcall function 007CAF18: SetBkColor.GDI32(?,00000000), ref: 007CAFBB
                                                                                                                                                                                • Part of subcall function 007CAF18: SelectObject.GDI32(?,?), ref: 007CAFC8
                                                                                                                                                                                • Part of subcall function 007CAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 007CAFE7
                                                                                                                                                                                • Part of subcall function 007CAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007CAFFE
                                                                                                                                                                                • Part of subcall function 007CAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 007CB013
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4124339563-0
                                                                                                                                                                              • Opcode ID: 80e226a769e8103d45e8db9cc46e0958c6ee82e938e5a715593fbc42fa6f27c3
                                                                                                                                                                              • Instruction ID: 1256ae1a15ecbff5aaddcfc3d651667679eac257a17d6e225a6779730c389d18
                                                                                                                                                                              • Opcode Fuzzy Hash: 80e226a769e8103d45e8db9cc46e0958c6ee82e938e5a715593fbc42fa6f27c3
                                                                                                                                                                              • Instruction Fuzzy Hash: E4A16B72109309BFD7119F64DC08F6A7BB9FF88326F105A1EF962961A0D739D840CB96
                                                                                                                                                                              Function 00742FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • DestroyWindow.USER32(?,?,?), ref: 00743072
                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 007430B8
                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 007430C3
                                                                                                                                                                              • DestroyIcon.USER32(00000000,?,?,?), ref: 007430CE
                                                                                                                                                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 007430D9
                                                                                                                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0077C77C
                                                                                                                                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0077C7B5
                                                                                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0077CBDE
                                                                                                                                                                                • Part of subcall function 00741F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00742412,?,00000000,?,?,?,?,00741AA7,00000000,?), ref: 00741F76
                                                                                                                                                                              • SendMessageW.USER32(?,00001053), ref: 0077CC1B
                                                                                                                                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0077CC32
                                                                                                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0077CC48
                                                                                                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0077CC53
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 464785882-4108050209
                                                                                                                                                                              • Opcode ID: 9a56e9f0f6fa602f226053534d74ebd4de33aad209a10511fa74b1ce4a38c892
                                                                                                                                                                              • Instruction ID: d024785257e44f7347087050b140bf5b4350ec5422c0f481695a36d86c13693f
                                                                                                                                                                              • Opcode Fuzzy Hash: 9a56e9f0f6fa602f226053534d74ebd4de33aad209a10511fa74b1ce4a38c892
                                                                                                                                                                              • Instruction Fuzzy Hash: 2E128D30604201EFDB26CF24C889BA9B7A5FF48351F14866DF999CB262C739ED51CB91
                                                                                                                                                                              Function 007527FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                                                                                                                              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                                              • API String ID: 2660009612-1645009161
                                                                                                                                                                              • Opcode ID: 8161f1ffeba1cd91f54f75102dc780af2bbac8370f1cca1426e51385664c4388
                                                                                                                                                                              • Instruction ID: bd456ecfee5bfeb855437cb7f24a0cb497185f6d7037a81dd1a1fe764e710067
                                                                                                                                                                              • Opcode Fuzzy Hash: 8161f1ffeba1cd91f54f75102dc780af2bbac8370f1cca1426e51385664c4388
                                                                                                                                                                              • Instruction Fuzzy Hash: 5EA1B271A40209FBCB10AF60DC56EBE3774AF55741F140029FC05AB293EBB9AE16DB61
                                                                                                                                                                              Function 007B7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • DestroyWindow.USER32(00000000), ref: 007B7BC8
                                                                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007B7C87
                                                                                                                                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007B7CC5
                                                                                                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007B7CD7
                                                                                                                                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007B7D1D
                                                                                                                                                                              • GetClientRect.USER32(00000000,?), ref: 007B7D29
                                                                                                                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007B7D6D
                                                                                                                                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007B7D7C
                                                                                                                                                                              • GetStockObject.GDI32(00000011), ref: 007B7D8C
                                                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 007B7D90
                                                                                                                                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007B7DA0
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007B7DA9
                                                                                                                                                                              • DeleteDC.GDI32(00000000), ref: 007B7DB2
                                                                                                                                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007B7DDE
                                                                                                                                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 007B7DF5
                                                                                                                                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007B7E30
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007B7E44
                                                                                                                                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 007B7E55
                                                                                                                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007B7E85
                                                                                                                                                                              • GetStockObject.GDI32(00000011), ref: 007B7E90
                                                                                                                                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007B7E9B
                                                                                                                                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007B7EA5
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                              • API String ID: 2910397461-517079104
                                                                                                                                                                              • Opcode ID: 67239931cb7919b9bb89e2cc19064d35a366f42f907b5e1da7e43eb4ebe15132
                                                                                                                                                                              • Instruction ID: 6f743c9166788e013af06bdf2030b5c3d85accdb19e7341cb404ef6db114e402
                                                                                                                                                                              • Opcode Fuzzy Hash: 67239931cb7919b9bb89e2cc19064d35a366f42f907b5e1da7e43eb4ebe15132
                                                                                                                                                                              • Instruction Fuzzy Hash: 0BA17EB1A01219BFEB14DBA4DC4AFAE7BB9EF44710F048115FA15A72E1D774AD00CBA4
                                                                                                                                                                              Function 007AB353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 007AB361
                                                                                                                                                                              • GetDriveTypeW.KERNEL32(?,007D2C4C,?,\\.\,007D0980), ref: 007AB43E
                                                                                                                                                                              • SetErrorMode.KERNEL32(00000000,007D2C4C,?,\\.\,007D0980), ref: 007AB59C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorMode$DriveType
                                                                                                                                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                                              • API String ID: 2907320926-4222207086
                                                                                                                                                                              • Opcode ID: e398e25abda0f563a77f0a1c21cd80aab93768e3595b7a40c54887a200907812
                                                                                                                                                                              • Instruction ID: 2fbc4e690af8082cc106aca26e696f4e64a9ead868ff654b6bf68c60f05d8b77
                                                                                                                                                                              • Opcode Fuzzy Hash: e398e25abda0f563a77f0a1c21cd80aab93768e3595b7a40c54887a200907812
                                                                                                                                                                              • Instruction Fuzzy Hash: 2C519370F4020DEBCB00EB60C946A7D77E0ABCA341B648616E506A7393D77DAE91DF51
                                                                                                                                                                              Function 007CA041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 007CA0F7
                                                                                                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007CA1B0
                                                                                                                                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 007CA1CC
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Window
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 2326795674-4108050209
                                                                                                                                                                              • Opcode ID: 065791760a87bc6e504c949a981188577ba2666adea73fa6665558af0a1619d6
                                                                                                                                                                              • Instruction ID: 11e6cde6360f8a7613df4b24c8cf21349fb8282700036a86b2d7cd06d8df09f5
                                                                                                                                                                              • Opcode Fuzzy Hash: 065791760a87bc6e504c949a981188577ba2666adea73fa6665558af0a1619d6
                                                                                                                                                                              • Instruction Fuzzy Hash: 9202DB30508349BFDB15CF18C848FAABBE4FF8931AF04852DF995962A1C778D954CB92
                                                                                                                                                                              Function 007CAF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetSysColor.USER32(00000012), ref: 007CAF51
                                                                                                                                                                              • SetTextColor.GDI32(?,?), ref: 007CAF55
                                                                                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 007CAF6B
                                                                                                                                                                              • GetSysColor.USER32(0000000F), ref: 007CAF76
                                                                                                                                                                              • CreateSolidBrush.GDI32(?), ref: 007CAF7B
                                                                                                                                                                              • GetSysColor.USER32(00000011), ref: 007CAF93
                                                                                                                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 007CAFA1
                                                                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 007CAFB2
                                                                                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 007CAFBB
                                                                                                                                                                              • SelectObject.GDI32(?,?), ref: 007CAFC8
                                                                                                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 007CAFE7
                                                                                                                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007CAFFE
                                                                                                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 007CB013
                                                                                                                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007CB05F
                                                                                                                                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007CB086
                                                                                                                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 007CB0A4
                                                                                                                                                                              • DrawFocusRect.USER32(?,?), ref: 007CB0AF
                                                                                                                                                                              • GetSysColor.USER32(00000011), ref: 007CB0BD
                                                                                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 007CB0C5
                                                                                                                                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007CB0D9
                                                                                                                                                                              • SelectObject.GDI32(?,007CAC1F), ref: 007CB0F0
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 007CB0FB
                                                                                                                                                                              • SelectObject.GDI32(?,?), ref: 007CB101
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 007CB106
                                                                                                                                                                              • SetTextColor.GDI32(?,?), ref: 007CB10C
                                                                                                                                                                              • SetBkColor.GDI32(?,?), ref: 007CB116
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1996641542-0
                                                                                                                                                                              • Opcode ID: cc9d9fb94ff5038a8d702e3f36b38b056c909b226dffd2cc71b51ad055e5bf2c
                                                                                                                                                                              • Instruction ID: 075c2675691594020433e865a2d5933d28f96714ff4315097e6db89d76d4acdc
                                                                                                                                                                              • Opcode Fuzzy Hash: cc9d9fb94ff5038a8d702e3f36b38b056c909b226dffd2cc71b51ad055e5bf2c
                                                                                                                                                                              • Instruction Fuzzy Hash: 29616C71901218BFDF119FA4DC49FAE7B79EF08320F10911AF916AB2A1D7799940CF94
                                                                                                                                                                              Function 007C8FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007C90EA
                                                                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C90FB
                                                                                                                                                                              • CharNextW.USER32(0000014E), ref: 007C912A
                                                                                                                                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007C916B
                                                                                                                                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007C9181
                                                                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C9192
                                                                                                                                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007C91AF
                                                                                                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 007C91FB
                                                                                                                                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007C9211
                                                                                                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 007C9242
                                                                                                                                                                              • _memset.LIBCMT ref: 007C9267
                                                                                                                                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007C92B0
                                                                                                                                                                              • _memset.LIBCMT ref: 007C930F
                                                                                                                                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 007C9339
                                                                                                                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 007C9391
                                                                                                                                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 007C943E
                                                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 007C9460
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007C94AA
                                                                                                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007C94D7
                                                                                                                                                                              • DrawMenuBar.USER32(?), ref: 007C94E6
                                                                                                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 007C950E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 1073566785-4108050209
                                                                                                                                                                              • Opcode ID: 600ca0d6e06a140169de6f324047bc52de4474124c50d158b5aaf7cfb9229e44
                                                                                                                                                                              • Instruction ID: f6b1bd5d6e8f607495bb8b053121f4f0e0a837aee9bc361fc451ce46b3897be9
                                                                                                                                                                              • Opcode Fuzzy Hash: 600ca0d6e06a140169de6f324047bc52de4474124c50d158b5aaf7cfb9229e44
                                                                                                                                                                              • Instruction Fuzzy Hash: 66E17B70900209EBDB619F90CC89FEE7BB8FB05710F10815EFA15AA291D7789A91CF60
                                                                                                                                                                              Function 007C4ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 007C5007
                                                                                                                                                                              • GetDesktopWindow.USER32 ref: 007C501C
                                                                                                                                                                              • GetWindowRect.USER32(00000000), ref: 007C5023
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 007C5085
                                                                                                                                                                              • DestroyWindow.USER32(?), ref: 007C50B1
                                                                                                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007C50DA
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007C50F8
                                                                                                                                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007C511E
                                                                                                                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 007C5133
                                                                                                                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007C5146
                                                                                                                                                                              • IsWindowVisible.USER32(?), ref: 007C5166
                                                                                                                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007C5181
                                                                                                                                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007C5195
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 007C51AD
                                                                                                                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 007C51D3
                                                                                                                                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 007C51ED
                                                                                                                                                                              • CopyRect.USER32(?,?), ref: 007C5204
                                                                                                                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 007C526F
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                                              • String ID: ($0$tooltips_class32
                                                                                                                                                                              • API String ID: 698492251-4156429822
                                                                                                                                                                              • Opcode ID: 4ff69a18853cea758c124ad37577276b5262710a32b47aa94e6df637f0a2fe11
                                                                                                                                                                              • Instruction ID: a395d6be5c3b95c4f46f5f5624922a5cea3509c5a19f27e8bbdac5445d480c93
                                                                                                                                                                              • Opcode Fuzzy Hash: 4ff69a18853cea758c124ad37577276b5262710a32b47aa94e6df637f0a2fe11
                                                                                                                                                                              • Instruction Fuzzy Hash: 30B17971604740AFD704DF64C888F6ABBE4FF88310F008A1DF5999B2A2D779E845CB96
                                                                                                                                                                              Function 007A498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 007A499C
                                                                                                                                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007A49C2
                                                                                                                                                                              • _wcscpy.LIBCMT ref: 007A49F0
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007A49FB
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007A4A11
                                                                                                                                                                              • _wcsstr.LIBCMT ref: 007A4A1C
                                                                                                                                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007A4A38
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007A4A81
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007A4A88
                                                                                                                                                                              • _wcsncpy.LIBCMT ref: 007A4AB3
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                                              • API String ID: 699586101-1459072770
                                                                                                                                                                              • Opcode ID: db9e7f154468234e3ab0bcb9ec58c60864e91d87e207a1ebbd1b6c6d7ef9b3fb
                                                                                                                                                                              • Instruction ID: f04a09d0987f7e1066c6883479030255f7a6d832b4d4468b584519e7a69b42af
                                                                                                                                                                              • Opcode Fuzzy Hash: db9e7f154468234e3ab0bcb9ec58c60864e91d87e207a1ebbd1b6c6d7ef9b3fb
                                                                                                                                                                              • Instruction Fuzzy Hash: 804108B2600204BADB10B7648D4BEBF777CEF81721F104156FD06A6193EB7D9A0296B5
                                                                                                                                                                              Function 00742BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00742C8C
                                                                                                                                                                              • GetSystemMetrics.USER32(00000007), ref: 00742C94
                                                                                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00742CBF
                                                                                                                                                                              • GetSystemMetrics.USER32(00000008), ref: 00742CC7
                                                                                                                                                                              • GetSystemMetrics.USER32(00000004), ref: 00742CEC
                                                                                                                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00742D09
                                                                                                                                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00742D19
                                                                                                                                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00742D4C
                                                                                                                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00742D60
                                                                                                                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 00742D7E
                                                                                                                                                                              • GetStockObject.GDI32(00000011), ref: 00742D9A
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00742DA5
                                                                                                                                                                                • Part of subcall function 00742714: GetCursorPos.USER32(?), ref: 00742727
                                                                                                                                                                                • Part of subcall function 00742714: ScreenToClient.USER32(008077B0,?), ref: 00742744
                                                                                                                                                                                • Part of subcall function 00742714: GetAsyncKeyState.USER32(00000001), ref: 00742769
                                                                                                                                                                                • Part of subcall function 00742714: GetAsyncKeyState.USER32(00000002), ref: 00742777
                                                                                                                                                                              • SetTimer.USER32(00000000,00000000,00000028,007413C7), ref: 00742DCC
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                              • String ID: AutoIt v3 GUI$h}
                                                                                                                                                                              • API String ID: 1458621304-1893895206
                                                                                                                                                                              • Opcode ID: a7078e487a304a9822dc62926b8b99ecb87126efe5865158e900624979029025
                                                                                                                                                                              • Instruction ID: d47accb15425dccc4d0a1fe7f6ac3522c90434df1a72e26aca134c982d5427f8
                                                                                                                                                                              • Opcode Fuzzy Hash: a7078e487a304a9822dc62926b8b99ecb87126efe5865158e900624979029025
                                                                                                                                                                              • Instruction Fuzzy Hash: 0DB13E71A0020ADFDB15DFA8DC59BAD7BB4FB48310F508129FA15E6290DB78A851CFA4
                                                                                                                                                                              Function 00760429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                              • GetForegroundWindow.USER32(007D0980,?,?,?,?,?), ref: 007604E3
                                                                                                                                                                              • IsWindow.USER32(?), ref: 007966BB
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$Foreground_memmove
                                                                                                                                                                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                                                                                              • API String ID: 3828923867-1919597938
                                                                                                                                                                              • Opcode ID: d0e713aae2c5020d8ddf8e67ed10e18272a72239b091cff55f542ed9386f8c71
                                                                                                                                                                              • Instruction ID: 939921bc9291cf37ce17c86a39c41bf7fab8e85bf648689e54c9497b86e508cd
                                                                                                                                                                              • Opcode Fuzzy Hash: d0e713aae2c5020d8ddf8e67ed10e18272a72239b091cff55f542ed9386f8c71
                                                                                                                                                                              • Instruction Fuzzy Hash: E1D1A570104202EBCF04EF60D485AAABBB5BF54344F504B29F856476A2DB38F959CBD1
                                                                                                                                                                              Function 007C441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 007C44AC
                                                                                                                                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007C456C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharMessageSendUpper
                                                                                                                                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                              • API String ID: 3974292440-719923060
                                                                                                                                                                              • Opcode ID: 880b27444115a77143c8ad4f75eb194dfc43eb392dc266fd758bbf14c7f904d9
                                                                                                                                                                              • Instruction ID: 457ec74e1eb7ea3a8b3eecd89c5d283fea94dce5922a83220b051b0a0cc45876
                                                                                                                                                                              • Opcode Fuzzy Hash: 880b27444115a77143c8ad4f75eb194dfc43eb392dc266fd758bbf14c7f904d9
                                                                                                                                                                              • Instruction Fuzzy Hash: BBA15D30214205DFCB15EF24C965F6AB3A5BF85314F20496CF9969B3A2DB38ED05CB91
                                                                                                                                                                              Function 007B56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 007B56E1
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 007B56EC
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 007B56F7
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 007B5702
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 007B570D
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 007B5718
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 007B5723
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 007B572E
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 007B5739
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 007B5744
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 007B574F
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 007B575A
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 007B5765
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 007B5770
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 007B577B
                                                                                                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 007B5786
                                                                                                                                                                              • GetCursorInfo.USER32(?), ref: 007B5796
                                                                                                                                                                              • GetLastError.KERNEL32(00000001,00000000), ref: 007B57C1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3215588206-0
                                                                                                                                                                              • Opcode ID: b572cdde3cea83239538553c82f9a22efdd5718f73c363ea5a3c45374a6cb076
                                                                                                                                                                              • Instruction ID: 27f13c4f824e7a52c7c0552d6566da23d73841146e39ccc299c2833340bdbb82
                                                                                                                                                                              • Opcode Fuzzy Hash: b572cdde3cea83239538553c82f9a22efdd5718f73c363ea5a3c45374a6cb076
                                                                                                                                                                              • Instruction Fuzzy Hash: 21416770E04319AADB109FB68C49E6EFFF8EF51B10B10452FE519E7290DAB86400CF91
                                                                                                                                                                              Function 0079B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0079B17B
                                                                                                                                                                              • __swprintf.LIBCMT ref: 0079B21C
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 0079B22F
                                                                                                                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0079B284
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 0079B2C0
                                                                                                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 0079B2F7
                                                                                                                                                                              • GetDlgCtrlID.USER32(?), ref: 0079B349
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0079B37F
                                                                                                                                                                              • GetParent.USER32(?), ref: 0079B39D
                                                                                                                                                                              • ScreenToClient.USER32(00000000), ref: 0079B3A4
                                                                                                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0079B41E
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 0079B432
                                                                                                                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0079B458
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 0079B46C
                                                                                                                                                                                • Part of subcall function 0076385C: _iswctype.LIBCMT ref: 00763864
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                                                                              • String ID: %s%u
                                                                                                                                                                              • API String ID: 3744389584-679674701
                                                                                                                                                                              • Opcode ID: 91f46aab72e2f5d424bae2e5b4c0585d5f75a061f778306acba994d4d8f54768
                                                                                                                                                                              • Instruction ID: 95d72690c5ec1800787be68a001b45fc402f4324cb00eaff7e5d97d93dc8cee7
                                                                                                                                                                              • Opcode Fuzzy Hash: 91f46aab72e2f5d424bae2e5b4c0585d5f75a061f778306acba994d4d8f54768
                                                                                                                                                                              • Instruction Fuzzy Hash: 2AA1E371204306EFDB14DF64E988BEAB7E8FF44351F008529F999C21A1D738E955CB91
                                                                                                                                                                              Function 0079BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0079BAB1
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 0079BAC2
                                                                                                                                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0079BAEA
                                                                                                                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 0079BB07
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 0079BB25
                                                                                                                                                                              • _wcsstr.LIBCMT ref: 0079BB36
                                                                                                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0079BB6E
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 0079BB7E
                                                                                                                                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0079BBA5
                                                                                                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0079BBEE
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 0079BBFE
                                                                                                                                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0079BC26
                                                                                                                                                                              • GetWindowRect.USER32(00000004,?), ref: 0079BC8F
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                                                                              • String ID: @$ThumbnailClass
                                                                                                                                                                              • API String ID: 1788623398-1539354611
                                                                                                                                                                              • Opcode ID: b3954a067187db2fa2bde7bcc3468ab558c35946f9690c370523fc70a34d6daf
                                                                                                                                                                              • Instruction ID: cf79a7038cb27feef57d90c0460559cf52227aec194d18f05828db70ca2c627c
                                                                                                                                                                              • Opcode Fuzzy Hash: b3954a067187db2fa2bde7bcc3468ab558c35946f9690c370523fc70a34d6daf
                                                                                                                                                                              • Instruction Fuzzy Hash: 1981B2710043099BDF04DF14EA85FAA77E8FF84315F14856AFD898A096DB38DD49CBA1
                                                                                                                                                                              Function 0079B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __wcsnicmp
                                                                                                                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                                                              • API String ID: 1038674560-1810252412
                                                                                                                                                                              • Opcode ID: 078001c2935eb40c5ceeee4f13132554e075be3fbaee7ef0931b65171a7ad459
                                                                                                                                                                              • Instruction ID: c00a9a8a2219656fa5ffc1dc3eb96b46fbc035fbaecd2cf4717b011fc1712c24
                                                                                                                                                                              • Opcode Fuzzy Hash: 078001c2935eb40c5ceeee4f13132554e075be3fbaee7ef0931b65171a7ad459
                                                                                                                                                                              • Instruction Fuzzy Hash: 4F31B2B0644209E6CE14FA50EE4BFFD73B4AF10762FA00125FA55B11D1EB9E7E08C952
                                                                                                                                                                              Function 0079CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadIconW.USER32(00000063), ref: 0079CBAA
                                                                                                                                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0079CBBC
                                                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 0079CBD3
                                                                                                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 0079CBE8
                                                                                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0079CBEE
                                                                                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0079CBFE
                                                                                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0079CC04
                                                                                                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0079CC25
                                                                                                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0079CC3F
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 0079CC48
                                                                                                                                                                              • SetWindowTextW.USER32(?,?), ref: 0079CCB3
                                                                                                                                                                              • GetDesktopWindow.USER32 ref: 0079CCB9
                                                                                                                                                                              • GetWindowRect.USER32(00000000), ref: 0079CCC0
                                                                                                                                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0079CD0C
                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 0079CD19
                                                                                                                                                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0079CD3E
                                                                                                                                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0079CD69
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3869813825-0
                                                                                                                                                                              • Opcode ID: c7d3b0da8a2cc9bf33d5b7e11db68302bfad97ef6605b51e674ce1c2bfe69dc9
                                                                                                                                                                              • Instruction ID: c87e6fcd236b258aa4979c9237167ed5ebcda25dff8431bd92b018276fcb5f59
                                                                                                                                                                              • Opcode Fuzzy Hash: c7d3b0da8a2cc9bf33d5b7e11db68302bfad97ef6605b51e674ce1c2bfe69dc9
                                                                                                                                                                              • Instruction Fuzzy Hash: 80515B70900709EFDF219FA8DE8AB6EBBF5FF04705F004919E686A25A0D778E914CB54
                                                                                                                                                                              Function 007CA7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007CA87E
                                                                                                                                                                              • DestroyWindow.USER32(00000000,?), ref: 007CA8F8
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007CA972
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007CA994
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007CA9A7
                                                                                                                                                                              • DestroyWindow.USER32(00000000), ref: 007CA9C9
                                                                                                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00740000,00000000), ref: 007CAA00
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007CAA19
                                                                                                                                                                              • GetDesktopWindow.USER32 ref: 007CAA32
                                                                                                                                                                              • GetWindowRect.USER32(00000000), ref: 007CAA39
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007CAA51
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007CAA69
                                                                                                                                                                                • Part of subcall function 007429AB: GetWindowLongW.USER32(?,000000EB), ref: 007429BC
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                                                                              • String ID: 0$tooltips_class32
                                                                                                                                                                              • API String ID: 1297703922-3619404913
                                                                                                                                                                              • Opcode ID: fe170a7d624b0fab1f5b4619548fa521de35a74a5b6b9c2968f7d306a9010d14
                                                                                                                                                                              • Instruction ID: bdb904ff29cda7ed5d778196ac10ff497211650caea80c6baf5e8ad919b31610
                                                                                                                                                                              • Opcode Fuzzy Hash: fe170a7d624b0fab1f5b4619548fa521de35a74a5b6b9c2968f7d306a9010d14
                                                                                                                                                                              • Instruction Fuzzy Hash: 6C71A970540248AFD721CF28CC49F6B77E9FB88309F04851DF986872A1D779E916CB96
                                                                                                                                                                              Function 007CCCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                              • DragQueryPoint.SHELL32(?,?), ref: 007CCCCF
                                                                                                                                                                                • Part of subcall function 007CB1A9: ClientToScreen.USER32(?,?), ref: 007CB1D2
                                                                                                                                                                                • Part of subcall function 007CB1A9: GetWindowRect.USER32(?,?), ref: 007CB248
                                                                                                                                                                                • Part of subcall function 007CB1A9: PtInRect.USER32(?,?,007CC6BC), ref: 007CB258
                                                                                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 007CCD38
                                                                                                                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007CCD43
                                                                                                                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007CCD66
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007CCD96
                                                                                                                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 007CCDAD
                                                                                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 007CCDC6
                                                                                                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 007CCDDD
                                                                                                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 007CCDFF
                                                                                                                                                                              • DragFinish.SHELL32(?), ref: 007CCE06
                                                                                                                                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007CCEF9
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                                                              • API String ID: 169749273-3440237614
                                                                                                                                                                              • Opcode ID: 5c193407a63a19e1e7d0e4fd5520c6037a48b014c281fab656cc063d8d69a177
                                                                                                                                                                              • Instruction ID: 4251f260b061f5a44de385bf068057f993f0ebdec1dbfd81ba07ba8deb964626
                                                                                                                                                                              • Opcode Fuzzy Hash: 5c193407a63a19e1e7d0e4fd5520c6037a48b014c281fab656cc063d8d69a177
                                                                                                                                                                              • Instruction Fuzzy Hash: 09617C71508300AFC701DF50DC89E9FBBF8EF89750F404A2EF695921A1DB74AA49CB92
                                                                                                                                                                              Function 007A82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • VariantInit.OLEAUT32(00000000), ref: 007A831A
                                                                                                                                                                              • VariantCopy.OLEAUT32(00000000,?), ref: 007A8323
                                                                                                                                                                              • VariantClear.OLEAUT32(00000000), ref: 007A832F
                                                                                                                                                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007A841D
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007A844D
                                                                                                                                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 007A8479
                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 007A852A
                                                                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 007A85BE
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 007A8618
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 007A8627
                                                                                                                                                                              • VariantInit.OLEAUT32(00000000), ref: 007A8665
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                                                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                                                                              • API String ID: 3730832054-3931177956
                                                                                                                                                                              • Opcode ID: 7928809e3872f2b50f7ab6bbb11f781c562b3d5d0e7ed77389bc3805fac9ac72
                                                                                                                                                                              • Instruction ID: 8d67f01636ee95c5e00f304e96b3fdab50ca13c9267a16e85b4d865f1cd401b7
                                                                                                                                                                              • Opcode Fuzzy Hash: 7928809e3872f2b50f7ab6bbb11f781c562b3d5d0e7ed77389bc3805fac9ac72
                                                                                                                                                                              • Instruction Fuzzy Hash: 1BD10471A04515EBDFA09F61C888B6EB7B4FF86701F188255E8059B281DF3CEC40DBA2
                                                                                                                                                                              Function 007C49CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 007C4A61
                                                                                                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007C4AAC
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharMessageSendUpper
                                                                                                                                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                                              • API String ID: 3974292440-4258414348
                                                                                                                                                                              • Opcode ID: d8aab14ca8238ce51d901a8ffa6336ef6bc795917452df3dbcf348a0393b509b
                                                                                                                                                                              • Instruction ID: 17d6dd91fcc652091557a29818d186a7c9abf4c83da382235c1428265b6a2105
                                                                                                                                                                              • Opcode Fuzzy Hash: d8aab14ca8238ce51d901a8ffa6336ef6bc795917452df3dbcf348a0393b509b
                                                                                                                                                                              • Instruction Fuzzy Hash: 3D919A70204705DBCB15EF20C465B6EB7A1BF84354F10896CF8965B3A2CB39ED0ADB92
                                                                                                                                                                              Function 007AE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetLocalTime.KERNEL32(?), ref: 007AE31F
                                                                                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 007AE32F
                                                                                                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007AE33B
                                                                                                                                                                              • __wsplitpath.LIBCMT ref: 007AE399
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007AE3B1
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007AE3C3
                                                                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007AE3D8
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 007AE3EC
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 007AE41E
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 007AE43F
                                                                                                                                                                              • _wcscpy.LIBCMT ref: 007AE44B
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007AE48A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                                                                              • String ID: *.*
                                                                                                                                                                              • API String ID: 3566783562-438819550
                                                                                                                                                                              • Opcode ID: fd228f46593c35aead512e7c87822dcc49d13aae24cc84e7e68855cef9c2f38d
                                                                                                                                                                              • Instruction ID: 0538375419b9abea021f95add4a0f1af570f72ac535530b64c6e609a8535d9f6
                                                                                                                                                                              • Opcode Fuzzy Hash: fd228f46593c35aead512e7c87822dcc49d13aae24cc84e7e68855cef9c2f38d
                                                                                                                                                                              • Instruction Fuzzy Hash: 27614872504745DFCB10EF64C848A9EB7E8FF89310F048A1EF98987251EB39E945CB92
                                                                                                                                                                              Function 007423F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00741F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00742412,?,00000000,?,?,?,?,00741AA7,00000000,?), ref: 00741F76
                                                                                                                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007424AF
                                                                                                                                                                              • KillTimer.USER32(-00000001,?,?,?,?,00741AA7,00000000,?,?,00741EBE,?,?), ref: 0074254A
                                                                                                                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0077BFE7
                                                                                                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00741AA7,00000000,?,?,00741EBE,?,?), ref: 0077C018
                                                                                                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00741AA7,00000000,?,?,00741EBE,?,?), ref: 0077C02F
                                                                                                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00741AA7,00000000,?,?,00741EBE,?,?), ref: 0077C04B
                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 0077C05D
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                                              • String ID: h}
                                                                                                                                                                              • API String ID: 641708696-1190393154
                                                                                                                                                                              • Opcode ID: 87a8af5e576ad99e6785babf623f183956758e05a41e7713c42eac4dac9a423d
                                                                                                                                                                              • Instruction ID: 2fa385838423a0c1ebbf5f41684d8edc11634ae904006620e3a2f0f86381e20a
                                                                                                                                                                              • Opcode Fuzzy Hash: 87a8af5e576ad99e6785babf623f183956758e05a41e7713c42eac4dac9a423d
                                                                                                                                                                              • Instruction Fuzzy Hash: E861AB30515640DFDB26AF18CD48B2AB7B1FB44312F90D56DE04686961C778BCA2DFA4
                                                                                                                                                                              Function 007AA27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007AA2C2
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007AA2E3
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007AA33C
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007AA355
                                                                                                                                                                              • _wprintf.LIBCMT ref: 007AA3FC
                                                                                                                                                                              • _wprintf.LIBCMT ref: 007AA41A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                              • API String ID: 311963372-3080491070
                                                                                                                                                                              • Opcode ID: 7de74adcf979ab2a6ca7f7442b665a7ef833a922ab65d1753db3f90f7b31ae2e
                                                                                                                                                                              • Instruction ID: 53dbb3435d0ade9826d021957c18e545bdc9444e38e2ada69adc86e3c6224329
                                                                                                                                                                              • Opcode Fuzzy Hash: 7de74adcf979ab2a6ca7f7442b665a7ef833a922ab65d1753db3f90f7b31ae2e
                                                                                                                                                                              • Instruction Fuzzy Hash: E4518171900209FACF14EBE4CD4AEEEB779AF08342F504255F905B2192EB792F58DB61
                                                                                                                                                                              Function 007A0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,0078F8B8,00000001,0000138C,00000001,00000001,00000001,?,007B3FF9,00000001), ref: 007A009A
                                                                                                                                                                              • LoadStringW.USER32(00000000,?,0078F8B8,00000001), ref: 007A00A3
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00807310,?,00000FFF,?,?,0078F8B8,00000001,0000138C,00000001,00000001,00000001,?,007B3FF9,00000001,00000001), ref: 007A00C5
                                                                                                                                                                              • LoadStringW.USER32(00000000,?,0078F8B8,00000001), ref: 007A00C8
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007A0118
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007A0129
                                                                                                                                                                              • _wprintf.LIBCMT ref: 007A01D2
                                                                                                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007A01E9
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                                              • API String ID: 984253442-2268648507
                                                                                                                                                                              • Opcode ID: 2dd274f6c64bb5cb5801b7f5e07a61f399b29ebc053394680bf0a453e8dde3f2
                                                                                                                                                                              • Instruction ID: dcbf1ba2ff2d3459901196d9f4a8f09301453485b32ee3687f6c9598adbb6e83
                                                                                                                                                                              • Opcode Fuzzy Hash: 2dd274f6c64bb5cb5801b7f5e07a61f399b29ebc053394680bf0a453e8dde3f2
                                                                                                                                                                              • Instruction Fuzzy Hash: AA4164B180021DEACF14EBE0CD4AEEE7778AF55342F900555F905B2092EB796F08CBA1
                                                                                                                                                                              Function 007AA995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                              • CharLowerBuffW.USER32(?,?), ref: 007AAA0E
                                                                                                                                                                              • GetDriveTypeW.KERNEL32 ref: 007AAA5B
                                                                                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AAAA3
                                                                                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AAADA
                                                                                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AAB08
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                                              • API String ID: 2698844021-4113822522
                                                                                                                                                                              • Opcode ID: ed3446bc7ea2acfab8aa908c7a655c34f7e5be2ed4d5cc938f97b698202d77e2
                                                                                                                                                                              • Instruction ID: ff20b47ddc6eb5b76989e69ec13c920fb9e16e2740460866735cf73f95ef1179
                                                                                                                                                                              • Opcode Fuzzy Hash: ed3446bc7ea2acfab8aa908c7a655c34f7e5be2ed4d5cc938f97b698202d77e2
                                                                                                                                                                              • Instruction Fuzzy Hash: F4518DB1204305EFC700EF20C885A6AB7F4FF88359F50896DF89597261DB39AD09CB92
                                                                                                                                                                              Function 007AA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007AA852
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007AA874
                                                                                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 007AA8B1
                                                                                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007AA8D6
                                                                                                                                                                              • _memset.LIBCMT ref: 007AA8F5
                                                                                                                                                                              • _wcsncpy.LIBCMT ref: 007AA931
                                                                                                                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007AA966
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 007AA971
                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 007AA97A
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 007AA984
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                                                              • String ID: :$\$\??\%s
                                                                                                                                                                              • API String ID: 2733774712-3457252023
                                                                                                                                                                              • Opcode ID: ec241fefb2ce52e641f765ac2ca6f60741d73b21dc0f89f39b5d2755fec13c73
                                                                                                                                                                              • Instruction ID: 7b0a71ab95ec7104e82a3e99f59e788d31be319f82dec005563417976e2cf88e
                                                                                                                                                                              • Opcode Fuzzy Hash: ec241fefb2ce52e641f765ac2ca6f60741d73b21dc0f89f39b5d2755fec13c73
                                                                                                                                                                              • Instruction Fuzzy Hash: 893170B150021AABDB219FA0DC49FEF77BCEF89701F1041A6F909D2160E778A645CB69
                                                                                                                                                                              Function 007CC0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007C982C,?,?), ref: 007CC0C8
                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007C982C,?,?,00000000,?), ref: 007CC0DF
                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007C982C,?,?,00000000,?), ref: 007CC0EA
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,007C982C,?,?,00000000,?), ref: 007CC0F7
                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 007CC100
                                                                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007C982C,?,?,00000000,?), ref: 007CC10F
                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 007CC118
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,007C982C,?,?,00000000,?), ref: 007CC11F
                                                                                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007C982C,?,?,00000000,?), ref: 007CC130
                                                                                                                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,007D3C7C,?), ref: 007CC149
                                                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 007CC159
                                                                                                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 007CC17D
                                                                                                                                                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007CC1A8
                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 007CC1D0
                                                                                                                                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007CC1E6
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3840717409-0
                                                                                                                                                                              • Opcode ID: 274e0d833a1cf032e0e55cda3c7160b235a66bf28e532b3bb9bcef3efefd2f28
                                                                                                                                                                              • Instruction ID: 39a5a7a14aebb3c4b6452a4cc0f2afb4681336bdaaded4bdb8940419f3b2d299
                                                                                                                                                                              • Opcode Fuzzy Hash: 274e0d833a1cf032e0e55cda3c7160b235a66bf28e532b3bb9bcef3efefd2f28
                                                                                                                                                                              • Instruction Fuzzy Hash: 18415A71501208EFCB118F65CC88FAE7BB9FB89711F148059F909E7260C7389940DBA4
                                                                                                                                                                              Function 007CC854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007CC8A4
                                                                                                                                                                              • GetFocus.USER32 ref: 007CC8B4
                                                                                                                                                                              • GetDlgCtrlID.USER32(00000000), ref: 007CC8BF
                                                                                                                                                                              • _memset.LIBCMT ref: 007CC9EA
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007CCA15
                                                                                                                                                                              • GetMenuItemCount.USER32(?), ref: 007CCA35
                                                                                                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 007CCA48
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007CCA7C
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007CCAC4
                                                                                                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007CCAFC
                                                                                                                                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007CCB31
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 1296962147-4108050209
                                                                                                                                                                              • Opcode ID: 3de58efd2bafe71ee4344aa62d4557b36ba7421b37b99abfc0c7aea1eaa15e6a
                                                                                                                                                                              • Instruction ID: a92a33fe9e7dcd7b75efee0fabc41870f5959404d9358345eddb93ed3719e014
                                                                                                                                                                              • Opcode Fuzzy Hash: 3de58efd2bafe71ee4344aa62d4557b36ba7421b37b99abfc0c7aea1eaa15e6a
                                                                                                                                                                              • Instruction Fuzzy Hash: 19814A706083059FD711CF14D889F6BBBE8FB88354F04856EF99997291D738E905CBA2
                                                                                                                                                                              Function 00798ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00798E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00798E3C
                                                                                                                                                                                • Part of subcall function 00798E20: GetLastError.KERNEL32(?,00798900,?,?,?), ref: 00798E46
                                                                                                                                                                                • Part of subcall function 00798E20: GetProcessHeap.KERNEL32(00000008,?,?,00798900,?,?,?), ref: 00798E55
                                                                                                                                                                                • Part of subcall function 00798E20: HeapAlloc.KERNEL32(00000000,?,00798900,?,?,?), ref: 00798E5C
                                                                                                                                                                                • Part of subcall function 00798E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00798E73
                                                                                                                                                                                • Part of subcall function 00798EBD: GetProcessHeap.KERNEL32(00000008,00798916,00000000,00000000,?,00798916,?), ref: 00798EC9
                                                                                                                                                                                • Part of subcall function 00798EBD: HeapAlloc.KERNEL32(00000000,?,00798916,?), ref: 00798ED0
                                                                                                                                                                                • Part of subcall function 00798EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00798916,?), ref: 00798EE1
                                                                                                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00798B2E
                                                                                                                                                                              • _memset.LIBCMT ref: 00798B43
                                                                                                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00798B62
                                                                                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00798B73
                                                                                                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00798BB0
                                                                                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00798BCC
                                                                                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00798BE9
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00798BF8
                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00798BFF
                                                                                                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00798C20
                                                                                                                                                                              • CopySid.ADVAPI32(00000000), ref: 00798C27
                                                                                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00798C58
                                                                                                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00798C7E
                                                                                                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00798C92
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3996160137-0
                                                                                                                                                                              • Opcode ID: 0284c8a1be4e222d1aa6be9936b0e849a0d362c5b0dee09e5974c0f8e4f4096f
                                                                                                                                                                              • Instruction ID: a3f2da78c16937c429fff73500e257cb3e0d116c3a307d3d5753d322540a78f1
                                                                                                                                                                              • Opcode Fuzzy Hash: 0284c8a1be4e222d1aa6be9936b0e849a0d362c5b0dee09e5974c0f8e4f4096f
                                                                                                                                                                              • Instruction Fuzzy Hash: CA615B71901209FFDF509F94EC48EAEBB79FF06300F14815AE915A6290EB399A05CBA1
                                                                                                                                                                              Function 007B7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDC.USER32(00000000), ref: 007B7A79
                                                                                                                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007B7A85
                                                                                                                                                                              • CreateCompatibleDC.GDI32(?), ref: 007B7A91
                                                                                                                                                                              • SelectObject.GDI32(00000000,?), ref: 007B7A9E
                                                                                                                                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007B7AF2
                                                                                                                                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007B7B2E
                                                                                                                                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007B7B52
                                                                                                                                                                              • SelectObject.GDI32(00000006,?), ref: 007B7B5A
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 007B7B63
                                                                                                                                                                              • DeleteDC.GDI32(00000006), ref: 007B7B6A
                                                                                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 007B7B75
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                                              • String ID: (
                                                                                                                                                                              • API String ID: 2598888154-3887548279
                                                                                                                                                                              • Opcode ID: 057749874909144bc30c61b65ea97177594bc101d3b5ea0bb207e300f91ccf4d
                                                                                                                                                                              • Instruction ID: 7c8aa1f2ad6cf5eed705d2b78bf965a16d5c66457f7f3591ffcfc7e9a89e541c
                                                                                                                                                                              • Opcode Fuzzy Hash: 057749874909144bc30c61b65ea97177594bc101d3b5ea0bb207e300f91ccf4d
                                                                                                                                                                              • Instruction Fuzzy Hash: DF512A71904209EFCB14CFA8CC85FAEBBB9EF48310F14841EF95AA7250D635A941CB94
                                                                                                                                                                              Function 007AA48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007AA4D4
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                              • LoadStringW.USER32(?,?,00000FFF,?), ref: 007AA4F6
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007AA54F
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007AA568
                                                                                                                                                                              • _wprintf.LIBCMT ref: 007AA61E
                                                                                                                                                                              • _wprintf.LIBCMT ref: 007AA63C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                              • API String ID: 311963372-2391861430
                                                                                                                                                                              • Opcode ID: a5e24663bff6a0042c073b069a0a13ea2599024d6b670900c04ad3e3a05b95cb
                                                                                                                                                                              • Instruction ID: d182db93dfad2ecbb6b7735e16a2af6f7ed1c15b5a0e80c1352798fba061597d
                                                                                                                                                                              • Opcode Fuzzy Hash: a5e24663bff6a0042c073b069a0a13ea2599024d6b670900c04ad3e3a05b95cb
                                                                                                                                                                              • Instruction Fuzzy Hash: 0351AE71900109FACF15EBE0CD4AEEEB779AF05342F504265F905A21A1EB792F58CF61
                                                                                                                                                                              Function 007A9710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007A951A: __time64.LIBCMT ref: 007A9524
                                                                                                                                                                                • Part of subcall function 00754A8C: _fseek.LIBCMT ref: 00754AA4
                                                                                                                                                                              • __wsplitpath.LIBCMT ref: 007A97EF
                                                                                                                                                                                • Part of subcall function 0076431E: __wsplitpath_helper.LIBCMT ref: 0076435E
                                                                                                                                                                              • _wcscpy.LIBCMT ref: 007A9802
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007A9815
                                                                                                                                                                              • __wsplitpath.LIBCMT ref: 007A983A
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007A9850
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007A9863
                                                                                                                                                                                • Part of subcall function 007A9560: _memmove.LIBCMT ref: 007A9599
                                                                                                                                                                                • Part of subcall function 007A9560: _memmove.LIBCMT ref: 007A95A8
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007A97AA
                                                                                                                                                                                • Part of subcall function 007A9CF1: _wcscmp.LIBCMT ref: 007A9DE1
                                                                                                                                                                                • Part of subcall function 007A9CF1: _wcscmp.LIBCMT ref: 007A9DF4
                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007A9A0D
                                                                                                                                                                              • _wcsncpy.LIBCMT ref: 007A9A80
                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?), ref: 007A9AB6
                                                                                                                                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007A9ACC
                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007A9ADD
                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007A9AEF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1500180987-0
                                                                                                                                                                              • Opcode ID: 1a2aa619581d39dca041b08e0b4d57085890b6ceed1f28249cca1783739f020f
                                                                                                                                                                              • Instruction ID: 72563920e01f62b08adf9d24287667f0d5ffd3ebcedf685c930f4f42e5f9c88c
                                                                                                                                                                              • Opcode Fuzzy Hash: 1a2aa619581d39dca041b08e0b4d57085890b6ceed1f28249cca1783739f020f
                                                                                                                                                                              • Instruction Fuzzy Hash: 37C14DB1D00218AADF11DF95CC89ADEB7BDEF85300F0081AAF609E7151EB749A94CF65
                                                                                                                                                                              Function 00755BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 00755BF1
                                                                                                                                                                              • GetMenuItemCount.USER32(00807890), ref: 00790E7B
                                                                                                                                                                              • GetMenuItemCount.USER32(00807890), ref: 00790F2B
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 00790F6F
                                                                                                                                                                              • SetForegroundWindow.USER32(00000000), ref: 00790F78
                                                                                                                                                                              • TrackPopupMenuEx.USER32(00807890,00000000,?,00000000,00000000,00000000), ref: 00790F8B
                                                                                                                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00790F97
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2751501086-0
                                                                                                                                                                              • Opcode ID: 62ce795fafd4af3deb0ef8050d9d1693a925c9989ebab643d6300c6ad3a7fcb6
                                                                                                                                                                              • Instruction ID: 289559ae55a8b877834a4747d3e9636d3d1c390e6042a3c0ce94a94123d935cc
                                                                                                                                                                              • Opcode Fuzzy Hash: 62ce795fafd4af3deb0ef8050d9d1693a925c9989ebab643d6300c6ad3a7fcb6
                                                                                                                                                                              • Instruction Fuzzy Hash: 15712370605709BFEF209B54EC89FAABF65FF04724F104206F924661D1C7B96860DBE0
                                                                                                                                                                              Function 007AAEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CharLowerBuffW.USER32(?,?,007D0980), ref: 007AAF4E
                                                                                                                                                                              • GetDriveTypeW.KERNEL32(00000061,007FB5F0,00000061), ref: 007AB018
                                                                                                                                                                              • _wcscpy.LIBCMT ref: 007AB042
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                                                                              • String ID: L,}$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                              • API String ID: 2820617543-1469465039
                                                                                                                                                                              • Opcode ID: 6231e38e2b161574ddc97daca82cc777092651eeec52adaa382b93371df70246
                                                                                                                                                                              • Instruction ID: d4e80520b3ed8fe783dcb496acb307c285a37f9a573c92d1b9fac0b319bf1bbd
                                                                                                                                                                              • Opcode Fuzzy Hash: 6231e38e2b161574ddc97daca82cc777092651eeec52adaa382b93371df70246
                                                                                                                                                                              • Instruction Fuzzy Hash: EE51E270108305EFC714EF24C895AABB7A5FF91304F504A1DF996572A2DB78ED09CB92
                                                                                                                                                                              Function 007983FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                              • _memset.LIBCMT ref: 00798489
                                                                                                                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007984BE
                                                                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007984DA
                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007984F6
                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00798520
                                                                                                                                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00798548
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00798553
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00798558
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                                              • API String ID: 1411258926-22481851
                                                                                                                                                                              • Opcode ID: 4493a3689b4000e0fe7acec44f7e1f2f6b731d3394649feac6e4ccd214331f32
                                                                                                                                                                              • Instruction ID: e2512db7bbee6012f59be70f8a270208af32ca417efcc93c40f40835ef1a7916
                                                                                                                                                                              • Opcode Fuzzy Hash: 4493a3689b4000e0fe7acec44f7e1f2f6b731d3394649feac6e4ccd214331f32
                                                                                                                                                                              • Instruction Fuzzy Hash: 36410972C1022DEBCF11EBA4DC59EEDB778FF04352F404129E915A2261EB796D08CB90
                                                                                                                                                                              Function 007C147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C040D,?,?), ref: 007C1491
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharUpper
                                                                                                                                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                                              • API String ID: 3964851224-909552448
                                                                                                                                                                              • Opcode ID: a4dcae0c36c6dee5820b1595fb47ca702c6858ea753a61a255116a7337798c98
                                                                                                                                                                              • Instruction ID: 7582929d0cb797625ee0f8c28702ff367e9e541f0f67338630f85f7329cc1083
                                                                                                                                                                              • Opcode Fuzzy Hash: a4dcae0c36c6dee5820b1595fb47ca702c6858ea753a61a255116a7337798c98
                                                                                                                                                                              • Instruction Fuzzy Hash: EF413A7060025EDBDF01EF60E955BEA3724AF52300FA04569FC9257252DB78ED2ACBA0
                                                                                                                                                                              Function 007A5882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                                • Part of subcall function 0075153B: _memmove.LIBCMT ref: 007515C4
                                                                                                                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007A58EB
                                                                                                                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007A5901
                                                                                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007A5912
                                                                                                                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007A5924
                                                                                                                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007A5935
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: SendString$_memmove
                                                                                                                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                              • API String ID: 2279737902-1007645807
                                                                                                                                                                              • Opcode ID: 8234c3903da149fe7086174ae7893dd59f2084a2f2fd217084920ee89ccfa2d2
                                                                                                                                                                              • Instruction ID: d271e4cc65267eaaabaf5f7d6bbb71b9e112f3d831a56e9405bdc9c8b53aaa51
                                                                                                                                                                              • Opcode Fuzzy Hash: 8234c3903da149fe7086174ae7893dd59f2084a2f2fd217084920ee89ccfa2d2
                                                                                                                                                                              • Instruction Fuzzy Hash: 8911B67198015DF9D720A761DC4EEFF6B7CEFD2B61F8005297901961D0EAA82D04C5A0
                                                                                                                                                                              Function 007A4C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                              • String ID: 0.0.0.0
                                                                                                                                                                              • API String ID: 208665112-3771769585
                                                                                                                                                                              • Opcode ID: 0d2e433d0712413e18e2f3aca31fdbc49d644bbd5354732b60183d92d7024d1c
                                                                                                                                                                              • Instruction ID: 68f142b3d2b6674845f9abeb39415016e706f112173ed8d17f9e8b34b8999345
                                                                                                                                                                              • Opcode Fuzzy Hash: 0d2e433d0712413e18e2f3aca31fdbc49d644bbd5354732b60183d92d7024d1c
                                                                                                                                                                              • Instruction Fuzzy Hash: FE113A31505108FBCB20A7609C4EEEA7BBCDFC2720F045266F44996192EFBD99818BB1
                                                                                                                                                                              Function 007A5530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • timeGetTime.WINMM ref: 007A5535
                                                                                                                                                                                • Part of subcall function 0076083E: timeGetTime.WINMM(?,00000002,0074C22C), ref: 00760842
                                                                                                                                                                              • Sleep.KERNEL32(0000000A), ref: 007A5561
                                                                                                                                                                              • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 007A5585
                                                                                                                                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007A55A7
                                                                                                                                                                              • SetActiveWindow.USER32 ref: 007A55C6
                                                                                                                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007A55D4
                                                                                                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 007A55F3
                                                                                                                                                                              • Sleep.KERNEL32(000000FA), ref: 007A55FE
                                                                                                                                                                              • IsWindow.USER32 ref: 007A560A
                                                                                                                                                                              • EndDialog.USER32(00000000), ref: 007A561B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                                              • String ID: BUTTON
                                                                                                                                                                              • API String ID: 1194449130-3405671355
                                                                                                                                                                              • Opcode ID: 12e6094f99a35c29bdae27678058474217fcac0c1300cf7390a9c250c9d71a8e
                                                                                                                                                                              • Instruction ID: 775aea5baea451173e9d252969c908f011936ff3f976b9618bed68526ce837f7
                                                                                                                                                                              • Opcode Fuzzy Hash: 12e6094f99a35c29bdae27678058474217fcac0c1300cf7390a9c250c9d71a8e
                                                                                                                                                                              • Instruction Fuzzy Hash: 0521C2B0505604EFEB805B60EC89B293B7BFB85744F006115F542821A1DB799DA0CABA
                                                                                                                                                                              Function 007ADBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                              • CoInitialize.OLE32(00000000), ref: 007ADC2D
                                                                                                                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007ADCC0
                                                                                                                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 007ADCD4
                                                                                                                                                                              • CoCreateInstance.OLE32(007D3D4C,00000000,00000001,007FB86C,?), ref: 007ADD20
                                                                                                                                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007ADD8F
                                                                                                                                                                              • CoTaskMemFree.OLE32(?,?), ref: 007ADDE7
                                                                                                                                                                              • _memset.LIBCMT ref: 007ADE24
                                                                                                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 007ADE60
                                                                                                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007ADE83
                                                                                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 007ADE8A
                                                                                                                                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007ADEC1
                                                                                                                                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 007ADEC3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1246142700-0
                                                                                                                                                                              • Opcode ID: a46037ed5f5feda8bb14d412c2aefc4045f3325cd5e3698be5f94d9413f1573f
                                                                                                                                                                              • Instruction ID: 12e7452c8d3384c35069490eb3b3beb5c10e1427fbc3cbc67b9cb96a76124813
                                                                                                                                                                              • Opcode Fuzzy Hash: a46037ed5f5feda8bb14d412c2aefc4045f3325cd5e3698be5f94d9413f1573f
                                                                                                                                                                              • Instruction Fuzzy Hash: F3B1FA75A00109EFDB14DFA4C888EAEBBB9FF89314F148159E906EB251DB34ED45CB90
                                                                                                                                                                              Function 007A081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetKeyboardState.USER32(?), ref: 007A0896
                                                                                                                                                                              • SetKeyboardState.USER32(?), ref: 007A0901
                                                                                                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 007A0921
                                                                                                                                                                              • GetKeyState.USER32(000000A0), ref: 007A0938
                                                                                                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 007A0967
                                                                                                                                                                              • GetKeyState.USER32(000000A1), ref: 007A0978
                                                                                                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 007A09A4
                                                                                                                                                                              • GetKeyState.USER32(00000011), ref: 007A09B2
                                                                                                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 007A09DB
                                                                                                                                                                              • GetKeyState.USER32(00000012), ref: 007A09E9
                                                                                                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 007A0A12
                                                                                                                                                                              • GetKeyState.USER32(0000005B), ref: 007A0A20
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: State$Async$Keyboard
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 541375521-0
                                                                                                                                                                              • Opcode ID: 5dcb5e488f9e6dbd95af7e2af29672af6b5a428d887d00034a8457af28775615
                                                                                                                                                                              • Instruction ID: bae77d8bdb0e6183aaae16696c26817faf72551bddad371eed815d20db654fe2
                                                                                                                                                                              • Opcode Fuzzy Hash: 5dcb5e488f9e6dbd95af7e2af29672af6b5a428d887d00034a8457af28775615
                                                                                                                                                                              • Instruction Fuzzy Hash: FF51DB24A0478459FB34DBB044147AABFB49F43380F488B9DC5C2575C3DA6CAA4CCBE5
                                                                                                                                                                              Function 0079CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDlgItem.USER32(?,00000001), ref: 0079CE1C
                                                                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0079CE2E
                                                                                                                                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0079CE8C
                                                                                                                                                                              • GetDlgItem.USER32(?,00000002), ref: 0079CE97
                                                                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0079CEA9
                                                                                                                                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0079CEFD
                                                                                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0079CF0B
                                                                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0079CF1C
                                                                                                                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0079CF5F
                                                                                                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 0079CF6D
                                                                                                                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0079CF8A
                                                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0079CF97
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3096461208-0
                                                                                                                                                                              • Opcode ID: 0023e5f3ae6cdc5f144465b47903310a62b4c1eca2383452b3bec0a6d3d27147
                                                                                                                                                                              • Instruction ID: 3c6c90464b2b79604e3a6287c70506609a0248f8e4fdc04b37347530ccc3eb3a
                                                                                                                                                                              • Opcode Fuzzy Hash: 0023e5f3ae6cdc5f144465b47903310a62b4c1eca2383452b3bec0a6d3d27147
                                                                                                                                                                              • Instruction Fuzzy Hash: 78513E71B00205AFDF18CF69DD99BAEBBBAEB88710F148129F516E6290D774AD008B54
                                                                                                                                                                              Function 00742581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429AB: GetWindowLongW.USER32(?,000000EB), ref: 007429BC
                                                                                                                                                                              • GetSysColor.USER32(0000000F), ref: 007425AF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ColorLongWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 259745315-0
                                                                                                                                                                              • Opcode ID: 8d7221faf46003185edd4f820464beb575ac31efdb8ca332067177d45ae0fade
                                                                                                                                                                              • Instruction ID: b0c2ecd71c16721bee2feee3a0574da4d2e729bd91bb49fd53f2278c2c76cd21
                                                                                                                                                                              • Opcode Fuzzy Hash: 8d7221faf46003185edd4f820464beb575ac31efdb8ca332067177d45ae0fade
                                                                                                                                                                              • Instruction Fuzzy Hash: 9C41E530101144AFDB219F289C88BB93776FB0A371F5682A5FD658A1E3C7398C52DB66
                                                                                                                                                                              Function 007529BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00760B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00752A3E,?,00008000), ref: 00760BA7
                                                                                                                                                                                • Part of subcall function 00760284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00752A58,?,00008000), ref: 007602A4
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00752ADF
                                                                                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00752C2C
                                                                                                                                                                                • Part of subcall function 00753EBE: _wcscpy.LIBCMT ref: 00753EF6
                                                                                                                                                                                • Part of subcall function 0076386D: _iswctype.LIBCMT ref: 00763875
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                                                              • API String ID: 537147316-3738523708
                                                                                                                                                                              • Opcode ID: 2b28a0265fa9db71d8a2eaa62c366c376e1a4e24ff5f09a7f0823be7fb2e8880
                                                                                                                                                                              • Instruction ID: dbca00be56723b7876cd86904abf2221b10dfedb053f99205435f4606a12cd65
                                                                                                                                                                              • Opcode Fuzzy Hash: 2b28a0265fa9db71d8a2eaa62c366c376e1a4e24ff5f09a7f0823be7fb2e8880
                                                                                                                                                                              • Instruction Fuzzy Hash: 9102DF70108341DFC724EF24C855AAFBBE5BF89345F10491DF88A932A2DB78DA49CB52
                                                                                                                                                                              Function 00744D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __i64tow__itow__swprintf
                                                                                                                                                                              • String ID: %.15g$0x%p$False$True
                                                                                                                                                                              • API String ID: 421087845-2263619337
                                                                                                                                                                              • Opcode ID: e565afab16d70d75221bb239f98acbe6dcd53efca8b06eee267ea3c5d74d3cab
                                                                                                                                                                              • Instruction ID: f8b73b3ea277205d5b376be29563bad46c1d2168354db6a660a6593bbeca6416
                                                                                                                                                                              • Opcode Fuzzy Hash: e565afab16d70d75221bb239f98acbe6dcd53efca8b06eee267ea3c5d74d3cab
                                                                                                                                                                              • Instruction Fuzzy Hash: CA41D171A04609EADB34DF24C946FBA73F8EF44340F20846AE64ED7292EA799D01DB10
                                                                                                                                                                              Function 007C7777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007C778F
                                                                                                                                                                              • CreateMenu.USER32 ref: 007C77AA
                                                                                                                                                                              • SetMenu.USER32(?,00000000), ref: 007C77B9
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007C7846
                                                                                                                                                                              • IsMenu.USER32(?), ref: 007C785C
                                                                                                                                                                              • CreatePopupMenu.USER32 ref: 007C7866
                                                                                                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007C7893
                                                                                                                                                                              • DrawMenuBar.USER32 ref: 007C789B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                                                                              • String ID: 0$F
                                                                                                                                                                              • API String ID: 176399719-3044882817
                                                                                                                                                                              • Opcode ID: fb2599356e5c5568d2142d53001dfaf07b610762128d2e3429d12467ee0afb6e
                                                                                                                                                                              • Instruction ID: 80e921067911cecd17bb6855074c199283d06e44bfc9b15859468c6636ab30df
                                                                                                                                                                              • Opcode Fuzzy Hash: fb2599356e5c5568d2142d53001dfaf07b610762128d2e3429d12467ee0afb6e
                                                                                                                                                                              • Instruction Fuzzy Hash: D3410474A05209EFDB14DF64D888F9ABBF5FB49310F14402DEA56A7360DB35A920CFA4
                                                                                                                                                                              Function 007C7AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007C7B83
                                                                                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 007C7B8A
                                                                                                                                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007C7B9D
                                                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 007C7BA5
                                                                                                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 007C7BB0
                                                                                                                                                                              • DeleteDC.GDI32(00000000), ref: 007C7BB9
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 007C7BC3
                                                                                                                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007C7BD7
                                                                                                                                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007C7BE3
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                                                              • String ID: static
                                                                                                                                                                              • API String ID: 2559357485-2160076837
                                                                                                                                                                              • Opcode ID: 70d36cc3fdcbc108c729043a492a2594fc8c1127c12f64cefd8781a6b9eb0361
                                                                                                                                                                              • Instruction ID: b54560b7a8541868612f10579536a1a4020a04e2289dc17117ad3d6d85c3c621
                                                                                                                                                                              • Opcode Fuzzy Hash: 70d36cc3fdcbc108c729043a492a2594fc8c1127c12f64cefd8781a6b9eb0361
                                                                                                                                                                              • Instruction Fuzzy Hash: 2C318B72105218BBDF159F64DC49FDB3B79FF09320F10421AFA55A61A0CB39E820DBA4
                                                                                                                                                                              Function 00767030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 0076706B
                                                                                                                                                                                • Part of subcall function 00768D58: __getptd_noexit.LIBCMT ref: 00768D58
                                                                                                                                                                              • __gmtime64_s.LIBCMT ref: 00767104
                                                                                                                                                                              • __gmtime64_s.LIBCMT ref: 0076713A
                                                                                                                                                                              • __gmtime64_s.LIBCMT ref: 00767157
                                                                                                                                                                              • __allrem.LIBCMT ref: 007671AD
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007671C9
                                                                                                                                                                              • __allrem.LIBCMT ref: 007671E0
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007671FE
                                                                                                                                                                              • __allrem.LIBCMT ref: 00767215
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00767233
                                                                                                                                                                              • __invoke_watson.LIBCMT ref: 007672A4
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 384356119-0
                                                                                                                                                                              • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                                                                                                              • Instruction ID: 755ad9b534cf5c1c0ddc16c310cb2965a1127e76c678892ca87f04dc07c47d5c
                                                                                                                                                                              • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                                                                                                              • Instruction Fuzzy Hash: EB71F871A04706EBEB189F79CC45B5AB3B9BF413A8F14822AFD15E6281E778D940C790
                                                                                                                                                                              Function 007A2CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007A2CE9
                                                                                                                                                                              • GetMenuItemInfoW.USER32(00807890,000000FF,00000000,00000030), ref: 007A2D4A
                                                                                                                                                                              • SetMenuItemInfoW.USER32(00807890,00000004,00000000,00000030), ref: 007A2D80
                                                                                                                                                                              • Sleep.KERNEL32(000001F4), ref: 007A2D92
                                                                                                                                                                              • GetMenuItemCount.USER32(?), ref: 007A2DD6
                                                                                                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 007A2DF2
                                                                                                                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 007A2E1C
                                                                                                                                                                              • GetMenuItemID.USER32(?,?), ref: 007A2E61
                                                                                                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007A2EA7
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A2EBB
                                                                                                                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A2EDC
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4176008265-0
                                                                                                                                                                              • Opcode ID: 98bc4b1277de4d6fa2f0492f3bae2a0804132a57698f6c3a23c1c0458a4be9b0
                                                                                                                                                                              • Instruction ID: 63160e0b3754c6658467b9a12775472c1eb469a6ff00add55e234829caa1888a
                                                                                                                                                                              • Opcode Fuzzy Hash: 98bc4b1277de4d6fa2f0492f3bae2a0804132a57698f6c3a23c1c0458a4be9b0
                                                                                                                                                                              • Instruction Fuzzy Hash: F061BF70904249EFDB10CF68DC88EBE7BB9FB82304F144259F842A7252D739AD56DB60
                                                                                                                                                                              Function 007C7548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007C75CA
                                                                                                                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007C75CD
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 007C75F1
                                                                                                                                                                              • _memset.LIBCMT ref: 007C7602
                                                                                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C7614
                                                                                                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007C768C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$LongWindow_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 830647256-0
                                                                                                                                                                              • Opcode ID: 0fec02e2c4bb68cf791b260c1b77c3dec25e0d085ece75f708b688c719e4629c
                                                                                                                                                                              • Instruction ID: 79badb59a683389ea6a1b95c40d08822f1941a960d270e5ca760ee22eef8182a
                                                                                                                                                                              • Opcode Fuzzy Hash: 0fec02e2c4bb68cf791b260c1b77c3dec25e0d085ece75f708b688c719e4629c
                                                                                                                                                                              • Instruction Fuzzy Hash: 74616975904248AFDB10DFA8CC85FEE77B8EB09710F1041A9FA14A72A1DB74AE51DF60
                                                                                                                                                                              Function 007977B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007977DD
                                                                                                                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00797836
                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 00797848
                                                                                                                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00797868
                                                                                                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 007978BB
                                                                                                                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 007978CF
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 007978E4
                                                                                                                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 007978F1
                                                                                                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007978FA
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 0079790C
                                                                                                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00797917
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2706829360-0
                                                                                                                                                                              • Opcode ID: d2517fb83030f7f1dc34ac8136fc67941aa7649c93ff3f9070f152264f081fed
                                                                                                                                                                              • Instruction ID: 8d310643fd9a029f1d1025a07f7a7079559c46b77e9028084d195fa38247d2b4
                                                                                                                                                                              • Opcode Fuzzy Hash: d2517fb83030f7f1dc34ac8136fc67941aa7649c93ff3f9070f152264f081fed
                                                                                                                                                                              • Instruction Fuzzy Hash: B4415135A00219EFCF04DFA4D848EADBBB9FF49354F00C069E955A7261C738AA45CFA0
                                                                                                                                                                              Function 007A0508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetKeyboardState.USER32(?), ref: 007A0530
                                                                                                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 007A05B1
                                                                                                                                                                              • GetKeyState.USER32(000000A0), ref: 007A05CC
                                                                                                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 007A05E6
                                                                                                                                                                              • GetKeyState.USER32(000000A1), ref: 007A05FB
                                                                                                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 007A0613
                                                                                                                                                                              • GetKeyState.USER32(00000011), ref: 007A0625
                                                                                                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 007A063D
                                                                                                                                                                              • GetKeyState.USER32(00000012), ref: 007A064F
                                                                                                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 007A0667
                                                                                                                                                                              • GetKeyState.USER32(0000005B), ref: 007A0679
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: State$Async$Keyboard
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 541375521-0
                                                                                                                                                                              • Opcode ID: eb5b99ef79c751aac9deb9a04ea2246eb138a844ffc487294333cd24af7566cd
                                                                                                                                                                              • Instruction ID: 0b73ef88035d7e9373a92db61ec4dc4c651fe14cb80e220a9c80b8254b9197b9
                                                                                                                                                                              • Opcode Fuzzy Hash: eb5b99ef79c751aac9deb9a04ea2246eb138a844ffc487294333cd24af7566cd
                                                                                                                                                                              • Instruction Fuzzy Hash: 5D41C9249047C95DFF30866488047B5BFB06B93344F088A5AD9C6475C1EB9C99F8CFD6
                                                                                                                                                                              Function 007B8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                              • CoInitialize.OLE32 ref: 007B8AED
                                                                                                                                                                              • CoUninitialize.OLE32 ref: 007B8AF8
                                                                                                                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,007D3BBC,?), ref: 007B8B58
                                                                                                                                                                              • IIDFromString.OLE32(?,?), ref: 007B8BCB
                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 007B8C65
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 007B8CC6
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                              • API String ID: 834269672-1287834457
                                                                                                                                                                              • Opcode ID: 93147f0b515bedc933be771e661aa808df14f4949c2577cd69f2289056d5f269
                                                                                                                                                                              • Instruction ID: 5276843d99fbc5bd2d83837c2de53a422dd955917faa14fcc57177e8474695a9
                                                                                                                                                                              • Opcode Fuzzy Hash: 93147f0b515bedc933be771e661aa808df14f4949c2577cd69f2289056d5f269
                                                                                                                                                                              • Instruction Fuzzy Hash: 70618DB0205711DFC750DF24C889BABBBE8AF45714F10484AF9859B291DB78ED48CBA7
                                                                                                                                                                              Function 007ABB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 007ABB13
                                                                                                                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007ABB89
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 007ABB93
                                                                                                                                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 007ABC00
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                                              • API String ID: 4194297153-14809454
                                                                                                                                                                              • Opcode ID: cdf00cd439c7e5205722421a1c7e5efd85bee5853d3ae26e2eb8e521f20e3e80
                                                                                                                                                                              • Instruction ID: 14fc1f592883577d1ab317315d54630ee63154b2701c1e78b80de292ef74c5a9
                                                                                                                                                                              • Opcode Fuzzy Hash: cdf00cd439c7e5205722421a1c7e5efd85bee5853d3ae26e2eb8e521f20e3e80
                                                                                                                                                                              • Instruction Fuzzy Hash: 2431C675A00208DFCB10EF64C849FBDB7B4EF86310F54825AF905D7296DB79A941CBA1
                                                                                                                                                                              Function 00799B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 0079B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0079B7BD
                                                                                                                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00799BCC
                                                                                                                                                                              • GetDlgCtrlID.USER32 ref: 00799BD7
                                                                                                                                                                              • GetParent.USER32 ref: 00799BF3
                                                                                                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00799BF6
                                                                                                                                                                              • GetDlgCtrlID.USER32(?), ref: 00799BFF
                                                                                                                                                                              • GetParent.USER32(?), ref: 00799C1B
                                                                                                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00799C1E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                                                                              • API String ID: 1536045017-1403004172
                                                                                                                                                                              • Opcode ID: eea12d889c619eae58e06ae7033191bc685f61efba6d7dfbb35793c6b7a947a0
                                                                                                                                                                              • Instruction ID: d80f91de1566613415ec63405283e46cecdbf4fb531b549ff16c9477e61a2f47
                                                                                                                                                                              • Opcode Fuzzy Hash: eea12d889c619eae58e06ae7033191bc685f61efba6d7dfbb35793c6b7a947a0
                                                                                                                                                                              • Instruction Fuzzy Hash: FB21D1B4901108ABDF00ABA4DC89EFEBBB4EF95301F00411AF961932D1DB7D8828DA60
                                                                                                                                                                              Function 00799C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 0079B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0079B7BD
                                                                                                                                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00799CB5
                                                                                                                                                                              • GetDlgCtrlID.USER32 ref: 00799CC0
                                                                                                                                                                              • GetParent.USER32 ref: 00799CDC
                                                                                                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00799CDF
                                                                                                                                                                              • GetDlgCtrlID.USER32(?), ref: 00799CE8
                                                                                                                                                                              • GetParent.USER32(?), ref: 00799D04
                                                                                                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00799D07
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                                                                              • API String ID: 1536045017-1403004172
                                                                                                                                                                              • Opcode ID: 11f7d611f7bcbabae38bd3cbd97819506d2e581a30fbecd9b586805cc6ed9d5b
                                                                                                                                                                              • Instruction ID: bdf6b95fa7fc40ed2afdf7d3f06038b7994b4fcc2966f1508f23d8409fd41c31
                                                                                                                                                                              • Opcode Fuzzy Hash: 11f7d611f7bcbabae38bd3cbd97819506d2e581a30fbecd9b586805cc6ed9d5b
                                                                                                                                                                              • Instruction Fuzzy Hash: AA21B0B5A01108FBDF14EBB4DC89EFEBBB9EF95300F104116B95193291DB7D8928DA60
                                                                                                                                                                              Function 00799D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetParent.USER32 ref: 00799D27
                                                                                                                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00799D3C
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 00799D4E
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00799DC9
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                              • API String ID: 1704125052-3381328864
                                                                                                                                                                              • Opcode ID: c3c68239b774474946d7d0c13fbb675c372c578c4c69e3b118e6e1930bee2593
                                                                                                                                                                              • Instruction ID: ebbb91ae73b9aa3632d531ebde73beab418eb6bdc8117ca405b1a2db667d2922
                                                                                                                                                                              • Opcode Fuzzy Hash: c3c68239b774474946d7d0c13fbb675c372c578c4c69e3b118e6e1930bee2593
                                                                                                                                                                              • Instruction Fuzzy Hash: E3110AF634830AF9FE042628FC4BDB6739CDF05320F20001AFB15A51D1FA5DA96155A5
                                                                                                                                                                              Function 007B8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 007B8FC1
                                                                                                                                                                              • CoInitialize.OLE32(00000000), ref: 007B8FEE
                                                                                                                                                                              • CoUninitialize.OLE32 ref: 007B8FF8
                                                                                                                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 007B90F8
                                                                                                                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 007B9225
                                                                                                                                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,007D3BDC), ref: 007B9259
                                                                                                                                                                              • CoGetObject.OLE32(?,00000000,007D3BDC,?), ref: 007B927C
                                                                                                                                                                              • SetErrorMode.KERNEL32(00000000), ref: 007B928F
                                                                                                                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007B930F
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 007B931F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2395222682-0
                                                                                                                                                                              • Opcode ID: 56675fbced29e5217303555bea4af1c975a3a994715b1cb39889268854991330
                                                                                                                                                                              • Instruction ID: 016838958b47610432e422f78f79b3e21ca31669d30ce6079482f0687dbfdd13
                                                                                                                                                                              • Opcode Fuzzy Hash: 56675fbced29e5217303555bea4af1c975a3a994715b1cb39889268854991330
                                                                                                                                                                              • Instruction Fuzzy Hash: 22C116B1604305EFD700DF68C888AAAB7E9FF89708F00491DF6999B251DB75ED05CB92
                                                                                                                                                                              Function 007A19CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 007A19EF
                                                                                                                                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,007A0A67,?,00000001), ref: 007A1A03
                                                                                                                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 007A1A0A
                                                                                                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A0A67,?,00000001), ref: 007A1A19
                                                                                                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 007A1A2B
                                                                                                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A0A67,?,00000001), ref: 007A1A44
                                                                                                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A0A67,?,00000001), ref: 007A1A56
                                                                                                                                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007A0A67,?,00000001), ref: 007A1A9B
                                                                                                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007A0A67,?,00000001), ref: 007A1AB0
                                                                                                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007A0A67,?,00000001), ref: 007A1ABB
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2156557900-0
                                                                                                                                                                              • Opcode ID: 6fa4a230b80eb2662e170fad08d618c80e1c7768847ecbf05a87619c883aa482
                                                                                                                                                                              • Instruction ID: e4e0e7e70d62a58801f2a44e8235185994d76ae1f0cdca129169bd40773b7da9
                                                                                                                                                                              • Opcode Fuzzy Hash: 6fa4a230b80eb2662e170fad08d618c80e1c7768847ecbf05a87619c883aa482
                                                                                                                                                                              • Instruction Fuzzy Hash: 4331C175606205FFEB10DF24DC44B6977BAFB96355F90C216F900C6190DB789D808F54
                                                                                                                                                                              Function 0077C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetSysColor.USER32(00000008), ref: 0074260D
                                                                                                                                                                              • SetTextColor.GDI32(?,000000FF), ref: 00742617
                                                                                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0074262C
                                                                                                                                                                              • GetStockObject.GDI32(00000005), ref: 00742634
                                                                                                                                                                              • GetClientRect.USER32(?), ref: 0077C0FC
                                                                                                                                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0077C113
                                                                                                                                                                              • GetWindowDC.USER32(?), ref: 0077C11F
                                                                                                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0077C12E
                                                                                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0077C140
                                                                                                                                                                              • GetSysColor.USER32(00000005), ref: 0077C15E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3430376129-0
                                                                                                                                                                              • Opcode ID: eb99c83ed1427a21dba04d0febb48222f7a8882ea23e6ec6576f741780788e45
                                                                                                                                                                              • Instruction ID: 62dbb8cc5030d9a6885e1a3c848139191d9cc8fde0341dc7eb81a6398939dcce
                                                                                                                                                                              • Opcode Fuzzy Hash: eb99c83ed1427a21dba04d0febb48222f7a8882ea23e6ec6576f741780788e45
                                                                                                                                                                              • Instruction Fuzzy Hash: 62117231501205BFDB615FB4EC08BA97B71FB08321F508266FA66950E2CB390961EF55
                                                                                                                                                                              Function 0079AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • EnumChildWindows.USER32(?,0079B13A), ref: 0079B078
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ChildEnumWindows
                                                                                                                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                                              • API String ID: 3555792229-1603158881
                                                                                                                                                                              • Opcode ID: 8e2877c69ced934cf6a3bc7b75301f74c5c5d230d45bba0eebb593320d793038
                                                                                                                                                                              • Instruction ID: 104e9a7af984e84bb67205af4a6f1f5cedafa082da8776f5d4ba9268e31bc112
                                                                                                                                                                              • Opcode Fuzzy Hash: 8e2877c69ced934cf6a3bc7b75301f74c5c5d230d45bba0eebb593320d793038
                                                                                                                                                                              • Instruction Fuzzy Hash: 29917F70A0050AFACF08EF60D486BEEFB75BF14300F548119E95AA7251DF38A959DBE1
                                                                                                                                                                              Function 007431F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetWindowLongW.USER32(?,000000EB), ref: 0074327E
                                                                                                                                                                                • Part of subcall function 0074218F: GetClientRect.USER32(?,?), ref: 007421B8
                                                                                                                                                                                • Part of subcall function 0074218F: GetWindowRect.USER32(?,?), ref: 007421F9
                                                                                                                                                                                • Part of subcall function 0074218F: ScreenToClient.USER32(?,?), ref: 00742221
                                                                                                                                                                              • GetDC.USER32 ref: 0077D073
                                                                                                                                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0077D086
                                                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0077D094
                                                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0077D0A9
                                                                                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0077D0B1
                                                                                                                                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0077D13C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                                              • String ID: U
                                                                                                                                                                              • API String ID: 4009187628-3372436214
                                                                                                                                                                              • Opcode ID: b06590380ee447c902872c06881ae0eac1a77fe532c7968e09db2b8b7bc89dde
                                                                                                                                                                              • Instruction ID: 840ef1a0d7b786397927c237a9e5afcba9a7f040698587a02d8926f32ef53c40
                                                                                                                                                                              • Opcode Fuzzy Hash: b06590380ee447c902872c06881ae0eac1a77fe532c7968e09db2b8b7bc89dde
                                                                                                                                                                              • Instruction Fuzzy Hash: 2571E230500209EFCF31DF64C884AAA7BB5FF493A0F14826AED595A1A6C7799C51DF60
                                                                                                                                                                              Function 007CC634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                                • Part of subcall function 00742714: GetCursorPos.USER32(?), ref: 00742727
                                                                                                                                                                                • Part of subcall function 00742714: ScreenToClient.USER32(008077B0,?), ref: 00742744
                                                                                                                                                                                • Part of subcall function 00742714: GetAsyncKeyState.USER32(00000001), ref: 00742769
                                                                                                                                                                                • Part of subcall function 00742714: GetAsyncKeyState.USER32(00000002), ref: 00742777
                                                                                                                                                                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 007CC69C
                                                                                                                                                                              • ImageList_EndDrag.COMCTL32 ref: 007CC6A2
                                                                                                                                                                              • ReleaseCapture.USER32 ref: 007CC6A8
                                                                                                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 007CC752
                                                                                                                                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007CC765
                                                                                                                                                                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 007CC847
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                                                              • API String ID: 1924731296-2107944366
                                                                                                                                                                              • Opcode ID: 6886f580d42aea27bd009e274ac2a340e5e21e33621d40de816edaacf0768dcb
                                                                                                                                                                              • Instruction ID: 324b83a0244390295f8142737599c354a365b865c43bd8edce368f71acbd4dbd
                                                                                                                                                                              • Opcode Fuzzy Hash: 6886f580d42aea27bd009e274ac2a340e5e21e33621d40de816edaacf0768dcb
                                                                                                                                                                              • Instruction Fuzzy Hash: 6A517A70608204EFD705EF14CC5AF6A7BE5FB84311F00852DF995872E2CB78A959CB92
                                                                                                                                                                              Function 007B20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007B211C
                                                                                                                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007B2148
                                                                                                                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 007B218A
                                                                                                                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007B219F
                                                                                                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007B21AC
                                                                                                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007B21DC
                                                                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 007B2223
                                                                                                                                                                                • Part of subcall function 007B2B4F: GetLastError.KERNEL32(?,?,007B1EE3,00000000,00000000,00000001), ref: 007B2B64
                                                                                                                                                                                • Part of subcall function 007B2B4F: SetEvent.KERNEL32(?,?,007B1EE3,00000000,00000000,00000001), ref: 007B2B79
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2603140658-3916222277
                                                                                                                                                                              • Opcode ID: ffbefab14851023bfcfad72f0a84ff7f7214188decd450f00436e6c9942c6b2f
                                                                                                                                                                              • Instruction ID: 82f4b7081bcad0d64696e1151dc78e3f085dfe858ee47c17e0fa89d3e64aadbe
                                                                                                                                                                              • Opcode Fuzzy Hash: ffbefab14851023bfcfad72f0a84ff7f7214188decd450f00436e6c9942c6b2f
                                                                                                                                                                              • Instruction Fuzzy Hash: 9E4150B1502208BFEB129F60CC89FFB7BACFF08354F004116FA059A152D7789D458BA4
                                                                                                                                                                              Function 007B9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,007D0980), ref: 007B9412
                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007D0980), ref: 007B9446
                                                                                                                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007B95C0
                                                                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 007B95EA
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 560350794-0
                                                                                                                                                                              • Opcode ID: ea4a034578cbf5ae566c8fbc230cbf1dae421cd70ee20a43fe2640e7af85a083
                                                                                                                                                                              • Instruction ID: 71d716deb025a3423f67a297134be2834608665545bad116818b550f54a322c1
                                                                                                                                                                              • Opcode Fuzzy Hash: ea4a034578cbf5ae566c8fbc230cbf1dae421cd70ee20a43fe2640e7af85a083
                                                                                                                                                                              • Instruction Fuzzy Hash: 99F10971A00209EFCB14DFA4C888EEEB7B9FF45314F148059F616AB291DB35AE45CB90
                                                                                                                                                                              Function 007BFD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007BFD9E
                                                                                                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007BFF31
                                                                                                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007BFF55
                                                                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007BFF95
                                                                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007BFFB7
                                                                                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007C0133
                                                                                                                                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007C0165
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 007C0194
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 007C020B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4090791747-0
                                                                                                                                                                              • Opcode ID: 79b75e2454324f072303daff99d43fa2b3195ade2a988c89e3a5b65891f9d4da
                                                                                                                                                                              • Instruction ID: a11ccb8d2371c8a475186744d1d5137941b0c16951d1997636929ab3964a0ed2
                                                                                                                                                                              • Opcode Fuzzy Hash: 79b75e2454324f072303daff99d43fa2b3195ade2a988c89e3a5b65891f9d4da
                                                                                                                                                                              • Instruction Fuzzy Hash: B3E1B031604341DFC714EF24C899B6EBBE1AF85310F18846DF9859B2A2CB39EC45CB92
                                                                                                                                                                              Function 007A527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007A4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007A3B8A,?), ref: 007A4BE0
                                                                                                                                                                                • Part of subcall function 007A4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007A3B8A,?), ref: 007A4BF9
                                                                                                                                                                                • Part of subcall function 007A4FEC: GetFileAttributesW.KERNEL32(?,007A3BFE), ref: 007A4FED
                                                                                                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 007A52FB
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007A5315
                                                                                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 007A5330
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 793581249-0
                                                                                                                                                                              • Opcode ID: 7070dd4973481116c8cf0d4d5550f3e9d0bcebc05f2576e2740d2e07f2a1e742
                                                                                                                                                                              • Instruction ID: 7406f509615593eb6101afd79c2de7090af7f5ee5b9b40896d96a143870a292c
                                                                                                                                                                              • Opcode Fuzzy Hash: 7070dd4973481116c8cf0d4d5550f3e9d0bcebc05f2576e2740d2e07f2a1e742
                                                                                                                                                                              • Instruction Fuzzy Hash: 505197B20087849BC764DB50D885ADFB3ECAFC5301F404A1EF589D3152EF79A689C766
                                                                                                                                                                              Function 007C8C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007C8D24
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InvalidateRect
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 634782764-0
                                                                                                                                                                              • Opcode ID: 646fefad3ae8d30617522db7efe2fe3e85b666645737071225616fac55cd443e
                                                                                                                                                                              • Instruction ID: ad64529df01b8713636a4d4192ca6fe2cebdb49d63c791635f9b0d7060bc2a52
                                                                                                                                                                              • Opcode Fuzzy Hash: 646fefad3ae8d30617522db7efe2fe3e85b666645737071225616fac55cd443e
                                                                                                                                                                              • Instruction Fuzzy Hash: 2951A030641204FFEFB09B24CC89F997B64BB05320F24455EFA15E61E1CF79A990DBA6
                                                                                                                                                                              Function 00742F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0077C638
                                                                                                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0077C65A
                                                                                                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0077C672
                                                                                                                                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0077C690
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0077C6B1
                                                                                                                                                                              • DestroyIcon.USER32(00000000), ref: 0077C6C0
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0077C6DD
                                                                                                                                                                              • DestroyIcon.USER32(?), ref: 0077C6EC
                                                                                                                                                                                • Part of subcall function 007CAAD4: DeleteObject.GDI32(00000000), ref: 007CAB0D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2819616528-0
                                                                                                                                                                              • Opcode ID: acec936b478454f1647b30e8d995c80d22bc49d11db4cc59cbfbafe72e7d2523
                                                                                                                                                                              • Instruction ID: 27373ea84cb77e8bd072376a78ad2e4a19bbcdd70c1f9b6e798868c7a56b9344
                                                                                                                                                                              • Opcode Fuzzy Hash: acec936b478454f1647b30e8d995c80d22bc49d11db4cc59cbfbafe72e7d2523
                                                                                                                                                                              • Instruction Fuzzy Hash: A9516A70600209EFDB20DF24CC89BAA7BB5FB48750F508529F906E7290DB79E9A1DB50
                                                                                                                                                                              Function 0079A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0079B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0079B54D
                                                                                                                                                                                • Part of subcall function 0079B52D: GetCurrentThreadId.KERNEL32 ref: 0079B554
                                                                                                                                                                                • Part of subcall function 0079B52D: AttachThreadInput.USER32(00000000,?,0079A23B,?,00000001), ref: 0079B55B
                                                                                                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0079A246
                                                                                                                                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0079A263
                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0079A266
                                                                                                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0079A26F
                                                                                                                                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0079A28D
                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0079A290
                                                                                                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0079A299
                                                                                                                                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0079A2B0
                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0079A2B3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2014098862-0
                                                                                                                                                                              • Opcode ID: f1d9d6a22ab51b66178ea638c16d9a25fe1e90595f89df4dbee3cdb3017e2cc0
                                                                                                                                                                              • Instruction ID: d09e86098b8863574f48dced7c0709cd6d032d4fc9161a9b5dd0db2cb234c8db
                                                                                                                                                                              • Opcode Fuzzy Hash: f1d9d6a22ab51b66178ea638c16d9a25fe1e90595f89df4dbee3cdb3017e2cc0
                                                                                                                                                                              • Instruction Fuzzy Hash: 5911E571551218FEFA106F60AC4DF6A3B2DEB8C750F115416F3406B0D0CAF75C509AE4
                                                                                                                                                                              Function 007994D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0079915A,00000B00,?,?), ref: 007994E2
                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,0079915A,00000B00,?,?), ref: 007994E9
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0079915A,00000B00,?,?), ref: 007994FE
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0079915A,00000B00,?,?), ref: 00799506
                                                                                                                                                                              • DuplicateHandle.KERNEL32(00000000,?,0079915A,00000B00,?,?), ref: 00799509
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0079915A,00000B00,?,?), ref: 00799519
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(0079915A,00000000,?,0079915A,00000B00,?,?), ref: 00799521
                                                                                                                                                                              • DuplicateHandle.KERNEL32(00000000,?,0079915A,00000B00,?,?), ref: 00799524
                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,0079954A,00000000,00000000,00000000), ref: 0079953E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1957940570-0
                                                                                                                                                                              • Opcode ID: 1d033d95f295af03c39cf2f9da4da508467e4dca1d8dca4767d8b57ea236d8d6
                                                                                                                                                                              • Instruction ID: bbfc2724993c865c103bd7b1cccb0f1747c7bc9587e4b425190337a54eb81f69
                                                                                                                                                                              • Opcode Fuzzy Hash: 1d033d95f295af03c39cf2f9da4da508467e4dca1d8dca4767d8b57ea236d8d6
                                                                                                                                                                              • Instruction Fuzzy Hash: 7A01BBB5241308BFE710ABA5DC4DF6B7BACEB89711F519412FA05DB1A1CA759C00CB64
                                                                                                                                                                              Function 007BA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                                              • API String ID: 0-572801152
                                                                                                                                                                              • Opcode ID: 03b53fc29e48cb999a0191fac44495b5460a1e4be5d0e9e374bdd480cb01c7b4
                                                                                                                                                                              • Instruction ID: 184a0abe2c3dfcadf888d9a699e8aecf8bd5046e94bc5492353d3218838b2f0d
                                                                                                                                                                              • Opcode Fuzzy Hash: 03b53fc29e48cb999a0191fac44495b5460a1e4be5d0e9e374bdd480cb01c7b4
                                                                                                                                                                              • Instruction Fuzzy Hash: EFC18271A0021AAFDF24DF98D885BEEB7F5FF48310F148469E905AB280E7789D45CB91
                                                                                                                                                                              Function 007B97FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Variant$ClearInit$_memset
                                                                                                                                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                              • API String ID: 2862541840-625585964
                                                                                                                                                                              • Opcode ID: bc89bc40dde12b294f4ec64d8627041f350158e936d0c19604161a364113c1f9
                                                                                                                                                                              • Instruction ID: da73d53f925b8fe38586c914cf102bcbfa9111135bf3793b8ea6ff7d16b373b5
                                                                                                                                                                              • Opcode Fuzzy Hash: bc89bc40dde12b294f4ec64d8627041f350158e936d0c19604161a364113c1f9
                                                                                                                                                                              • Instruction Fuzzy Hash: D2915F71A00219ABDF24CFA5C848FEEB7B8EF85710F10855DF725AB251D778A944CBA0
                                                                                                                                                                              Function 007C73A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007C7449
                                                                                                                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 007C745D
                                                                                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007C7477
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007C74D2
                                                                                                                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 007C74E9
                                                                                                                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007C7517
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Window_wcscat
                                                                                                                                                                              • String ID: SysListView32
                                                                                                                                                                              • API String ID: 307300125-78025650
                                                                                                                                                                              • Opcode ID: 7c57ba93293f7ed8ee2f83ed072e590dd132fc4c34f9527ddd2253dfac4acd70
                                                                                                                                                                              • Instruction ID: e62250db04c30af3630dbd9015854403ea23d4bf7f0a4ef9027cfeeaeab41831
                                                                                                                                                                              • Opcode Fuzzy Hash: 7c57ba93293f7ed8ee2f83ed072e590dd132fc4c34f9527ddd2253dfac4acd70
                                                                                                                                                                              • Instruction Fuzzy Hash: 23418271A04348EFDB259F64CC85FEE7BA8EF08350F10442EF945A7291D6799D84CB50
                                                                                                                                                                              Function 007BF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007A4148: CreateToolhelp32Snapshot.KERNEL32 ref: 007A416D
                                                                                                                                                                                • Part of subcall function 007A4148: Process32FirstW.KERNEL32(00000000,?), ref: 007A417B
                                                                                                                                                                                • Part of subcall function 007A4148: CloseHandle.KERNEL32(00000000), ref: 007A4245
                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007BF08D
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 007BF0A0
                                                                                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007BF0CF
                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 007BF14C
                                                                                                                                                                              • GetLastError.KERNEL32(00000000), ref: 007BF157
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 007BF18C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                              • String ID: SeDebugPrivilege
                                                                                                                                                                              • API String ID: 2533919879-2896544425
                                                                                                                                                                              • Opcode ID: da16dad88b8a2e8a68fabc05d40c102564a1cec90a414fca3f6b6b1462e79b7c
                                                                                                                                                                              • Instruction ID: f3a9070bfb2014e684206032cf015043f5177b9598fe7e96bc571f5e36a6e02c
                                                                                                                                                                              • Opcode Fuzzy Hash: da16dad88b8a2e8a68fabc05d40c102564a1cec90a414fca3f6b6b1462e79b7c
                                                                                                                                                                              • Instruction Fuzzy Hash: D441BE31300209DFDB25EF28CC99FADB7A5AF84714F048419F9425B292DBB9A804CF95
                                                                                                                                                                              Function 007A34DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadIconW.USER32(00000000,00007F03), ref: 007A357C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: IconLoad
                                                                                                                                                                              • String ID: blank$info$question$stop$warning
                                                                                                                                                                              • API String ID: 2457776203-404129466
                                                                                                                                                                              • Opcode ID: 4bb911d179b2a98d0213fdc26caa0a2197bab06562516ce218f5234914c07ab3
                                                                                                                                                                              • Instruction ID: 3ca423dfa6ea856b231140653c3010ebf1252fff2e82265b3053eee730177ae7
                                                                                                                                                                              • Opcode Fuzzy Hash: 4bb911d179b2a98d0213fdc26caa0a2197bab06562516ce218f5234914c07ab3
                                                                                                                                                                              • Instruction Fuzzy Hash: 6F113D71E0834EFEE7045E78DC96DBA779CDF47360B20011AFA1056281E76C6F5045A0
                                                                                                                                                                              Function 007A47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007A4802
                                                                                                                                                                              • LoadStringW.USER32(00000000), ref: 007A4809
                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007A481F
                                                                                                                                                                              • LoadStringW.USER32(00000000), ref: 007A4826
                                                                                                                                                                              • _wprintf.LIBCMT ref: 007A484C
                                                                                                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007A486A
                                                                                                                                                                              Strings
                                                                                                                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 007A4847
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                                              • API String ID: 3648134473-3128320259
                                                                                                                                                                              • Opcode ID: 8a57ec1f6519a73053105b7315acd6ac884ce0be56790b147c68d1014049aa52
                                                                                                                                                                              • Instruction ID: 4337d2bf03aeddf2f8a5138148a8f70fadf59aff1c1a7bf24a240bb2743f067d
                                                                                                                                                                              • Opcode Fuzzy Hash: 8a57ec1f6519a73053105b7315acd6ac884ce0be56790b147c68d1014049aa52
                                                                                                                                                                              • Instruction Fuzzy Hash: 610162F294120C7FE71197A0DD89FFA777CEB48300F4045A6BB49E2141EA799E848BB5
                                                                                                                                                                              Function 007CDB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 007CDB42
                                                                                                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 007CDB62
                                                                                                                                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007CDD9D
                                                                                                                                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007CDDBB
                                                                                                                                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007CDDDC
                                                                                                                                                                              • ShowWindow.USER32(00000003,00000000), ref: 007CDDFB
                                                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 007CDE20
                                                                                                                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 007CDE43
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1211466189-0
                                                                                                                                                                              • Opcode ID: ecb9b6231ff4488d64728dd0c4bef031fbccc2c02730e54937bbeca84e916fb2
                                                                                                                                                                              • Instruction ID: e17017283c14428b9e3a2d05cdc1eccf1484b23f62c2914006794573beb39bd9
                                                                                                                                                                              • Opcode Fuzzy Hash: ecb9b6231ff4488d64728dd0c4bef031fbccc2c02730e54937bbeca84e916fb2
                                                                                                                                                                              • Instruction Fuzzy Hash: 14B18871A00215AFDF24CF69C989BA97BB1FF44701F08807EED499E295D738AD50CBA0
                                                                                                                                                                              Function 007C0371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 007C147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C040D,?,?), ref: 007C1491
                                                                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C044E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharConnectRegistryUpper_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3479070676-0
                                                                                                                                                                              • Opcode ID: 5a25f50a45c0bba5d505954cb55cab662472c4879badf6a0b9f60171f657f1d1
                                                                                                                                                                              • Instruction ID: b103885e13b83c634e4a07419bc0cd5288bb3b8feaf5d0347c5b5f0ba6cc20e8
                                                                                                                                                                              • Opcode Fuzzy Hash: 5a25f50a45c0bba5d505954cb55cab662472c4879badf6a0b9f60171f657f1d1
                                                                                                                                                                              • Instruction Fuzzy Hash: BEA15530204201DFCB14EF24C889F6EB7E5AF84314F14891DF9969B2A2DB79E955CF86
                                                                                                                                                                              Function 00742E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0077C508,00000004,00000000,00000000,00000000), ref: 00742E9F
                                                                                                                                                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0077C508,00000004,00000000,00000000,00000000,000000FF), ref: 00742EE7
                                                                                                                                                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0077C508,00000004,00000000,00000000,00000000), ref: 0077C55B
                                                                                                                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0077C508,00000004,00000000,00000000,00000000), ref: 0077C5C7
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ShowWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1268545403-0
                                                                                                                                                                              • Opcode ID: 3bd1a06acc120808835b9188d62ea07ce5f17c03f9a0adce1bac432f31e8d05c
                                                                                                                                                                              • Instruction ID: 06c794b2fe8dcdef0f29c923f2e358f67de87562c5b8e8ae165d2ec74012ef25
                                                                                                                                                                              • Opcode Fuzzy Hash: 3bd1a06acc120808835b9188d62ea07ce5f17c03f9a0adce1bac432f31e8d05c
                                                                                                                                                                              • Instruction Fuzzy Hash: 52410930604690AACB368B28C88C77A7FA2AB85310FA8C50EF44746562C77DF962D765
                                                                                                                                                                              Function 007A7681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 007A7698
                                                                                                                                                                                • Part of subcall function 00760FE6: std::exception::exception.LIBCMT ref: 0076101C
                                                                                                                                                                                • Part of subcall function 00760FE6: __CxxThrowException@8.LIBCMT ref: 00761031
                                                                                                                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007A76CF
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 007A76EB
                                                                                                                                                                              • _memmove.LIBCMT ref: 007A7739
                                                                                                                                                                              • _memmove.LIBCMT ref: 007A7756
                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 007A7765
                                                                                                                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007A777A
                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 007A7799
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 256516436-0
                                                                                                                                                                              • Opcode ID: 17d33e483b5a49785ee293a8f864359ce4e4d23650b8edb89eba05e31c2981a7
                                                                                                                                                                              • Instruction ID: f1f7abe244383471b9b5d1a091a6e94f6876cd1008ba16214088a1dac87d2c01
                                                                                                                                                                              • Opcode Fuzzy Hash: 17d33e483b5a49785ee293a8f864359ce4e4d23650b8edb89eba05e31c2981a7
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E315E35904209EBCF10EF64DC89EAEB778EF45310F1881A6FD04AA256D7389A54DBA4
                                                                                                                                                                              Function 007C67F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • DeleteObject.GDI32(00000000), ref: 007C6810
                                                                                                                                                                              • GetDC.USER32(00000000), ref: 007C6818
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C6823
                                                                                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 007C682F
                                                                                                                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007C686B
                                                                                                                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007C687C
                                                                                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007C964F,?,?,000000FF,00000000,?,000000FF,?), ref: 007C68B6
                                                                                                                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007C68D6
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3864802216-0
                                                                                                                                                                              • Opcode ID: 01c19009af21e84132a479df60c2a4c36ea707d6713aa8d066f0899c1b7c5a52
                                                                                                                                                                              • Instruction ID: 9cff9a8db34c2f9be25c8910a44bedca494062148f432d6e94b61e0a60a9c57d
                                                                                                                                                                              • Opcode Fuzzy Hash: 01c19009af21e84132a479df60c2a4c36ea707d6713aa8d066f0899c1b7c5a52
                                                                                                                                                                              • Instruction Fuzzy Hash: 8C314D72101214BFEB118F50CC8AFAA3BA9EB49761F044059FE089A291D6799851CBB4
                                                                                                                                                                              Function 0079C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memcmp
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2931989736-0
                                                                                                                                                                              • Opcode ID: eafa04af87a1bb7acae9c390b531da9bdcde0787a932dce6a77625eb9efa3c0c
                                                                                                                                                                              • Instruction ID: d02413715a86a3a2bdd3f5c1913eeffea023e99e6f28708df7f06d3ee0775c3f
                                                                                                                                                                              • Opcode Fuzzy Hash: eafa04af87a1bb7acae9c390b531da9bdcde0787a932dce6a77625eb9efa3c0c
                                                                                                                                                                              • Instruction Fuzzy Hash: 34210AB6701105B79E01B550AE4AFBB376C9E20740B080021FD06A6382EB5DDE21C5A2
                                                                                                                                                                              Function 007AF166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                                • Part of subcall function 0075436A: _wcscpy.LIBCMT ref: 0075438D
                                                                                                                                                                              • _wcstok.LIBCMT ref: 007AF2D7
                                                                                                                                                                              • _wcscpy.LIBCMT ref: 007AF366
                                                                                                                                                                              • _memset.LIBCMT ref: 007AF399
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                                                                              • String ID: X
                                                                                                                                                                              • API String ID: 774024439-3081909835
                                                                                                                                                                              • Opcode ID: a86ef297689477d718f06613c5dce73dd3ad7b7982e9152c480084a11c61b883
                                                                                                                                                                              • Instruction ID: 9ace252d8f00f94b5c5227df1b96f85345bfd9f06f3406ff8d082cc58b956c9e
                                                                                                                                                                              • Opcode Fuzzy Hash: a86ef297689477d718f06613c5dce73dd3ad7b7982e9152c480084a11c61b883
                                                                                                                                                                              • Instruction Fuzzy Hash: 48C19F71604740DFC714EF64C849A9EB7E4BF85351F404A2DF899872A2DB78EC49CB92
                                                                                                                                                                              Function 007B71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007B72EB
                                                                                                                                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007B730C
                                                                                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 007B731F
                                                                                                                                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 007B73D5
                                                                                                                                                                              • inet_ntoa.WSOCK32(?), ref: 007B7392
                                                                                                                                                                                • Part of subcall function 0079B4EA: _strlen.LIBCMT ref: 0079B4F4
                                                                                                                                                                                • Part of subcall function 0079B4EA: _memmove.LIBCMT ref: 0079B516
                                                                                                                                                                              • _strlen.LIBCMT ref: 007B742F
                                                                                                                                                                              • _memmove.LIBCMT ref: 007B7498
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3619996494-0
                                                                                                                                                                              • Opcode ID: c54e68006bbfd5a4b53139681bbe4dd0ffaffc78aba8e944709c99f040a16283
                                                                                                                                                                              • Instruction ID: d8b7138d055af47f0e9efec49b0979e01e4781daeeeb4ef8f11ee49f6b374cce
                                                                                                                                                                              • Opcode Fuzzy Hash: c54e68006bbfd5a4b53139681bbe4dd0ffaffc78aba8e944709c99f040a16283
                                                                                                                                                                              • Instruction Fuzzy Hash: 2581C171108200EBC714EB24DC89FAAB7B8EFC4714F14451DF9569B2A2EB78DD05CBA1
                                                                                                                                                                              Function 00741800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 3819be86410392740e9f1068a348bdaa9881c574ed2a8aafb0f2a0d72cb68e2e
                                                                                                                                                                              • Instruction ID: b2ecec09c9b51e9beb3c5d7a89571431f8c25bfaf0e7e4a43528d611ada4e0c0
                                                                                                                                                                              • Opcode Fuzzy Hash: 3819be86410392740e9f1068a348bdaa9881c574ed2a8aafb0f2a0d72cb68e2e
                                                                                                                                                                              • Instruction Fuzzy Hash: 8B715D30900109EFDB05EF58CC89EBEBB79FF86314F54C159F915AA251C738AA91CBA4
                                                                                                                                                                              Function 007CB9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • IsWindow.USER32(019A8840), ref: 007CBA5D
                                                                                                                                                                              • IsWindowEnabled.USER32(019A8840), ref: 007CBA69
                                                                                                                                                                              • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007CBB4D
                                                                                                                                                                              • SendMessageW.USER32(019A8840,000000B0,?,?), ref: 007CBB84
                                                                                                                                                                              • IsDlgButtonChecked.USER32(?,?), ref: 007CBBC1
                                                                                                                                                                              • GetWindowLongW.USER32(019A8840,000000EC), ref: 007CBBE3
                                                                                                                                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007CBBFB
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4072528602-0
                                                                                                                                                                              • Opcode ID: 581bdfc29f38078dcfbbc774efab17ad5cee8d81a793be9e40a08910dee5a7dd
                                                                                                                                                                              • Instruction ID: da5013074c2bfeecb020c501b830024d7fb14379a267c87e9f804b5218d4dc1b
                                                                                                                                                                              • Opcode Fuzzy Hash: 581bdfc29f38078dcfbbc774efab17ad5cee8d81a793be9e40a08910dee5a7dd
                                                                                                                                                                              • Instruction Fuzzy Hash: 2271AD74A04245EFDB209F64C896FBE77B9EF49300F14805DFA8597291CB39AC50CB61
                                                                                                                                                                              Function 007BFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007BFB31
                                                                                                                                                                              • _memset.LIBCMT ref: 007BFBFA
                                                                                                                                                                              • ShellExecuteExW.SHELL32(?), ref: 007BFC3F
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                                • Part of subcall function 0075436A: _wcscpy.LIBCMT ref: 0075438D
                                                                                                                                                                              • GetProcessId.KERNEL32(00000000), ref: 007BFCB6
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 007BFCE5
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                                                                              • String ID: @
                                                                                                                                                                              • API String ID: 3522835683-2766056989
                                                                                                                                                                              • Opcode ID: 2c11ab2c429a15533d7861144c1a823956689ac8df00f15117d179a25736cb12
                                                                                                                                                                              • Instruction ID: 445598a11e4367ab2a9cc7c41edde58c98d166d6c64890451c350e788aaca59e
                                                                                                                                                                              • Opcode Fuzzy Hash: 2c11ab2c429a15533d7861144c1a823956689ac8df00f15117d179a25736cb12
                                                                                                                                                                              • Instruction Fuzzy Hash: 8461D474A00619DFCB14EF64C895AAEBBF5FF48710F148469E806AB351CB38AD41CF90
                                                                                                                                                                              Function 007A174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetParent.USER32(?), ref: 007A178B
                                                                                                                                                                              • GetKeyboardState.USER32(?), ref: 007A17A0
                                                                                                                                                                              • SetKeyboardState.USER32(?), ref: 007A1801
                                                                                                                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 007A182F
                                                                                                                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 007A184E
                                                                                                                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 007A1894
                                                                                                                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007A18B7
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 87235514-0
                                                                                                                                                                              • Opcode ID: c47902d571ca7fd11e09fbeaccd9c18dd360887c10d85cd417a2e7be8ddded05
                                                                                                                                                                              • Instruction ID: fe650f9700090c58ccc87983568fccb811f92648a349d1d470e4ee8305ad4446
                                                                                                                                                                              • Opcode Fuzzy Hash: c47902d571ca7fd11e09fbeaccd9c18dd360887c10d85cd417a2e7be8ddded05
                                                                                                                                                                              • Instruction Fuzzy Hash: 6B51E660A087D53DFB368234CC55BBA7FE95B87310F488689E0D9468C2C29CECD4D750
                                                                                                                                                                              Function 007A1565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetParent.USER32(00000000), ref: 007A15A4
                                                                                                                                                                              • GetKeyboardState.USER32(?), ref: 007A15B9
                                                                                                                                                                              • SetKeyboardState.USER32(?), ref: 007A161A
                                                                                                                                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007A1646
                                                                                                                                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007A1663
                                                                                                                                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007A16A7
                                                                                                                                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007A16C8
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 87235514-0
                                                                                                                                                                              • Opcode ID: 7dda3763b6ae865f3f8d153bb76ea51a9af6899bb67154a81875125d599294d7
                                                                                                                                                                              • Instruction ID: 5a85cce585a6196f307092fb1e954da4918847a5e121d09e5e03e3949b0cace6
                                                                                                                                                                              • Opcode Fuzzy Hash: 7dda3763b6ae865f3f8d153bb76ea51a9af6899bb67154a81875125d599294d7
                                                                                                                                                                              • Instruction Fuzzy Hash: 175106A09047D57DFB368764CC05BBA7FA95F87300F4C8689E0D9869C2C69CEC98E751
                                                                                                                                                                              Function 007A5BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _wcsncpy$LocalTime
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2945705084-0
                                                                                                                                                                              • Opcode ID: 224178f45724397b339c7213508baeea2a4702eed862bc0772d8749d424aea54
                                                                                                                                                                              • Instruction ID: cf5bd08febedccb1bfaf7ec933bab640c6c9f4f770736a4a9f42ce38cd45497c
                                                                                                                                                                              • Opcode Fuzzy Hash: 224178f45724397b339c7213508baeea2a4702eed862bc0772d8749d424aea54
                                                                                                                                                                              • Instruction Fuzzy Hash: 57418176D11618B5CB51EBB4CC8E9CFB3B8AF05310F508966F91AE3122E638E715C3A5
                                                                                                                                                                              Function 007A3B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007A4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007A3B8A,?), ref: 007A4BE0
                                                                                                                                                                                • Part of subcall function 007A4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007A3B8A,?), ref: 007A4BF9
                                                                                                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 007A3BAA
                                                                                                                                                                              • _wcscmp.LIBCMT ref: 007A3BC6
                                                                                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 007A3BDE
                                                                                                                                                                              • _wcscat.LIBCMT ref: 007A3C26
                                                                                                                                                                              • SHFileOperationW.SHELL32(?), ref: 007A3C92
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                                                                              • String ID: \*.*
                                                                                                                                                                              • API String ID: 1377345388-1173974218
                                                                                                                                                                              • Opcode ID: 6a31ee77b048cb151c2f92c381350a481f7b337e36b6c328c86e0265e2879639
                                                                                                                                                                              • Instruction ID: cb8de09cc5b573293c1f8d4611120789e286631c5949cb5d97a167203ac65ae6
                                                                                                                                                                              • Opcode Fuzzy Hash: 6a31ee77b048cb151c2f92c381350a481f7b337e36b6c328c86e0265e2879639
                                                                                                                                                                              • Instruction Fuzzy Hash: 1B4150B1508344DAC752EF64C845ADBB7E8AFC9340F501A2EF48AC3191EB39D648C766
                                                                                                                                                                              Function 007C78B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007C78CF
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007C7976
                                                                                                                                                                              • IsMenu.USER32(?), ref: 007C798E
                                                                                                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007C79D6
                                                                                                                                                                              • DrawMenuBar.USER32 ref: 007C79E9
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 3866635326-4108050209
                                                                                                                                                                              • Opcode ID: 80227d3eb0548463e01675b6de8c359841e43d8d576fa51faa3ba3e84b1c8682
                                                                                                                                                                              • Instruction ID: 7ce8e16a3198b60fc2ccc97fad576e3fcd9e10b5a5ac01f0c6d4416340f48abd
                                                                                                                                                                              • Opcode Fuzzy Hash: 80227d3eb0548463e01675b6de8c359841e43d8d576fa51faa3ba3e84b1c8682
                                                                                                                                                                              • Instruction Fuzzy Hash: C6412575A08249EFDB24DF54E884FAABBB9FB09310F04812DE95597250DB38ED50CFA0
                                                                                                                                                                              Function 007C1602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007C1631
                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C165B
                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 007C1712
                                                                                                                                                                                • Part of subcall function 007C1602: RegCloseKey.ADVAPI32(?), ref: 007C1678
                                                                                                                                                                                • Part of subcall function 007C1602: FreeLibrary.KERNEL32(?), ref: 007C16CA
                                                                                                                                                                                • Part of subcall function 007C1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007C16ED
                                                                                                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 007C16B5
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 395352322-0
                                                                                                                                                                              • Opcode ID: 2b5b8dfe865a825f1a77016179fc7e588fe3168c4418d7658f2f90136ebb87e6
                                                                                                                                                                              • Instruction ID: 526495f94a9050d70c1628b9691958c614b964493712b8b7779225034923c998
                                                                                                                                                                              • Opcode Fuzzy Hash: 2b5b8dfe865a825f1a77016179fc7e588fe3168c4418d7658f2f90136ebb87e6
                                                                                                                                                                              • Instruction Fuzzy Hash: B53138B1901209BFDB14DB90DC89FFEB7BCEF09300F50416EE916E2141EA789E459AA4
                                                                                                                                                                              Function 007C68F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007C6911
                                                                                                                                                                              • GetWindowLongW.USER32(019A8840,000000F0), ref: 007C6944
                                                                                                                                                                              • GetWindowLongW.USER32(019A8840,000000F0), ref: 007C6979
                                                                                                                                                                              • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007C69AB
                                                                                                                                                                              • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007C69D5
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 007C69E6
                                                                                                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007C6A00
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LongWindow$MessageSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2178440468-0
                                                                                                                                                                              • Opcode ID: 5f33e85337e75d39fdf2fbc8aef6a91779006b3aae9792d02c9270b4d3baa20b
                                                                                                                                                                              • Instruction ID: ebcf2df848e6a30a6d0e8939a9be15f660fa8216ea5073341f9ed29ad731ad13
                                                                                                                                                                              • Opcode Fuzzy Hash: 5f33e85337e75d39fdf2fbc8aef6a91779006b3aae9792d02c9270b4d3baa20b
                                                                                                                                                                              • Instruction Fuzzy Hash: 4D310F30604190AFDB208F18DC88F6437E1FB4A711F1992ACF5058B2A1CB7AB840CB94
                                                                                                                                                                              Function 0079E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0079E2CA
                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0079E2F0
                                                                                                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 0079E2F3
                                                                                                                                                                              • SysAllocString.OLEAUT32(?), ref: 0079E311
                                                                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 0079E31A
                                                                                                                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 0079E33F
                                                                                                                                                                              • SysAllocString.OLEAUT32(?), ref: 0079E34D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3761583154-0
                                                                                                                                                                              • Opcode ID: c63700e4b9ad01da95c89c6660414ecd0a1c6119672cd9fa43a01301d71797f4
                                                                                                                                                                              • Instruction ID: 2001bfa348f8506c3ade3764a13495792e581b7e2c29baa879885941bdc1476d
                                                                                                                                                                              • Opcode Fuzzy Hash: c63700e4b9ad01da95c89c6660414ecd0a1c6119672cd9fa43a01301d71797f4
                                                                                                                                                                              • Instruction Fuzzy Hash: 8421B732601219BF9F10DFA8DC88DBF77BCEB09360B448125FA18DB250D678DC4187A4
                                                                                                                                                                              Function 007B685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007B8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007B84A0
                                                                                                                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007B68B1
                                                                                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 007B68C0
                                                                                                                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007B68F9
                                                                                                                                                                              • connect.WSOCK32(00000000,?,00000010), ref: 007B6902
                                                                                                                                                                              • WSAGetLastError.WSOCK32 ref: 007B690C
                                                                                                                                                                              • closesocket.WSOCK32(00000000), ref: 007B6935
                                                                                                                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007B694E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 910771015-0
                                                                                                                                                                              • Opcode ID: 9fa0e739180e49f49e80493449d1137f8b20c94013cb91d9978c2a66d3d9e439
                                                                                                                                                                              • Instruction ID: 2d040fe820521f45ccc3bb6d0f1a0fcf3c19a254d2baae715595df16b64391e7
                                                                                                                                                                              • Opcode Fuzzy Hash: 9fa0e739180e49f49e80493449d1137f8b20c94013cb91d9978c2a66d3d9e439
                                                                                                                                                                              • Instruction Fuzzy Hash: 22319371600218EFDB109F64CC89BFE77B9EB44725F048029FA05AB291DB7CAC049BE1
                                                                                                                                                                              Function 0079E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0079E3A5
                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0079E3CB
                                                                                                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 0079E3CE
                                                                                                                                                                              • SysAllocString.OLEAUT32 ref: 0079E3EF
                                                                                                                                                                              • SysFreeString.OLEAUT32 ref: 0079E3F8
                                                                                                                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 0079E412
                                                                                                                                                                              • SysAllocString.OLEAUT32(?), ref: 0079E420
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3761583154-0
                                                                                                                                                                              • Opcode ID: 403397d3af5a9e33753ef53c447a4feb45efb6d5e5a84842d8aa4cafbb2dd2e3
                                                                                                                                                                              • Instruction ID: 4eb665848bb64379a5e38887142a6c81f01297a2dd21d1274f52c447252a9c65
                                                                                                                                                                              • Opcode Fuzzy Hash: 403397d3af5a9e33753ef53c447a4feb45efb6d5e5a84842d8aa4cafbb2dd2e3
                                                                                                                                                                              • Instruction Fuzzy Hash: A7218635605244BFAF10DFA8EC88DAF77ECEB49360B008125FA05CB260D678EC418BA4
                                                                                                                                                                              Function 007C7BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00742111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0074214F
                                                                                                                                                                                • Part of subcall function 00742111: GetStockObject.GDI32(00000011), ref: 00742163
                                                                                                                                                                                • Part of subcall function 00742111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0074216D
                                                                                                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007C7C57
                                                                                                                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007C7C64
                                                                                                                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007C7C6F
                                                                                                                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007C7C7E
                                                                                                                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007C7C8A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                              • String ID: Msctls_Progress32
                                                                                                                                                                              • API String ID: 1025951953-3636473452
                                                                                                                                                                              • Opcode ID: 63cf6e1e7b6a27de7fb3336fb1df364ce896ab8c36657d5014ffd3cc1b9e6a81
                                                                                                                                                                              • Instruction ID: 84b76f9dc87e8c1a109595384f9f79304f3637b2c2e4612594dee3fbb218c94f
                                                                                                                                                                              • Opcode Fuzzy Hash: 63cf6e1e7b6a27de7fb3336fb1df364ce896ab8c36657d5014ffd3cc1b9e6a81
                                                                                                                                                                              • Instruction Fuzzy Hash: A11163B115021DBEEF159F60CC85EE77F5DEF08798F014119BB04A6091DB759C21DBA4
                                                                                                                                                                              Function 00769D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __init_pointers.LIBCMT ref: 00769D16
                                                                                                                                                                                • Part of subcall function 007633B7: EncodePointer.KERNEL32(00000000), ref: 007633BA
                                                                                                                                                                                • Part of subcall function 007633B7: __initp_misc_winsig.LIBCMT ref: 007633D5
                                                                                                                                                                                • Part of subcall function 007633B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0076A0D0
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0076A0E4
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0076A0F7
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0076A10A
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0076A11D
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0076A130
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0076A143
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0076A156
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0076A169
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0076A17C
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0076A18F
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0076A1A2
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0076A1B5
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0076A1C8
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0076A1DB
                                                                                                                                                                                • Part of subcall function 007633B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0076A1EE
                                                                                                                                                                              • __mtinitlocks.LIBCMT ref: 00769D1B
                                                                                                                                                                              • __mtterm.LIBCMT ref: 00769D24
                                                                                                                                                                                • Part of subcall function 00769D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00769D29,00767EFD,007FCD38,00000014), ref: 00769E86
                                                                                                                                                                                • Part of subcall function 00769D8C: _free.LIBCMT ref: 00769E8D
                                                                                                                                                                                • Part of subcall function 00769D8C: DeleteCriticalSection.KERNEL32(00800C00,?,?,00769D29,00767EFD,007FCD38,00000014), ref: 00769EAF
                                                                                                                                                                              • __calloc_crt.LIBCMT ref: 00769D49
                                                                                                                                                                              • __initptd.LIBCMT ref: 00769D6B
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00769D72
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3567560977-0
                                                                                                                                                                              • Opcode ID: 954628f4220662e9eee4450653ae42738d49cd41513214dd40859d7c8136b48c
                                                                                                                                                                              • Instruction ID: 02f757c777afe1fcac4056a8cabcddafc3f55bb69604f7a5259fceadcddf8747
                                                                                                                                                                              • Opcode Fuzzy Hash: 954628f4220662e9eee4450653ae42738d49cd41513214dd40859d7c8136b48c
                                                                                                                                                                              • Instruction Fuzzy Hash: A7F06D3260A711AAEA747B747C0B78A7ADCDF41730F21472AFE63D60D2EF3888014591
                                                                                                                                                                              Function 007641B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00764282,?), ref: 007641D3
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 007641DA
                                                                                                                                                                              • EncodePointer.KERNEL32(00000000), ref: 007641E6
                                                                                                                                                                              • DecodePointer.KERNEL32(00000001,00764282,?), ref: 00764203
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                                                              • String ID: RoInitialize$combase.dll
                                                                                                                                                                              • API String ID: 3489934621-340411864
                                                                                                                                                                              • Opcode ID: ffd88fc6c52da7d979d9a6b3a15849651227ff556ed623e391d206383ac5fedf
                                                                                                                                                                              • Instruction ID: 7835919ff44efe0b8c0f9d884fd2303c4a669fa379aad082dd83b310a213777f
                                                                                                                                                                              • Opcode Fuzzy Hash: ffd88fc6c52da7d979d9a6b3a15849651227ff556ed623e391d206383ac5fedf
                                                                                                                                                                              • Instruction Fuzzy Hash: 99E0DF70681301AFDB901F70ED0CB093BB5B711B06F609429F842D51E4CBBD0480CF68
                                                                                                                                                                              Function 0076428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007641A8), ref: 007642A8
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 007642AF
                                                                                                                                                                              • EncodePointer.KERNEL32(00000000), ref: 007642BA
                                                                                                                                                                              • DecodePointer.KERNEL32(007641A8), ref: 007642D5
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                                                              • String ID: RoUninitialize$combase.dll
                                                                                                                                                                              • API String ID: 3489934621-2819208100
                                                                                                                                                                              • Opcode ID: 12b120229e95da7833c039dafde0ef55d65333cc597855bdcc08e8c011b8702f
                                                                                                                                                                              • Instruction ID: c92ac2e1d235c9f3bc366412960165b17876103cabc40beefa2d82fae5eec4c0
                                                                                                                                                                              • Opcode Fuzzy Hash: 12b120229e95da7833c039dafde0ef55d65333cc597855bdcc08e8c011b8702f
                                                                                                                                                                              • Instruction Fuzzy Hash: D9E0B6B0652700AFDB909B60AD0DB463B75B705B02F60911BF441D51A0CBBD4604CE64
                                                                                                                                                                              Function 0074218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 007421B8
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 007421F9
                                                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 00742221
                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 00742350
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 00742369
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Rect$Client$Window$Screen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1296646539-0
                                                                                                                                                                              • Opcode ID: 029e5ccdc408adf7fb199f0321d19d31b08df2bae87393bea32011abd8c1b32f
                                                                                                                                                                              • Instruction ID: cc4f97edcc7b65168b2e3981d6d8935e7cabd39c68fdb7a48f9a24e4e2ab1ec8
                                                                                                                                                                              • Opcode Fuzzy Hash: 029e5ccdc408adf7fb199f0321d19d31b08df2bae87393bea32011abd8c1b32f
                                                                                                                                                                              • Instruction Fuzzy Hash: 1EB1AD39A00249DBDF10CFA8C8807EDB7B1FF08750F548129ED59EB215DB78AA61CB64
                                                                                                                                                                              Function 007A6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove$__itow__swprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3253778849-0
                                                                                                                                                                              • Opcode ID: 3e565685ac210e845bbe011017c515c4a5cf1181a4cbdb9c033d3fa72d8085da
                                                                                                                                                                              • Instruction ID: 2b06747548d978718ecfb40a5a8ef27f2d95c03a9477cca6d2af7527bd4ea688
                                                                                                                                                                              • Opcode Fuzzy Hash: 3e565685ac210e845bbe011017c515c4a5cf1181a4cbdb9c033d3fa72d8085da
                                                                                                                                                                              • Instruction Fuzzy Hash: 1C61BD7050029AEBCF11EF60CC89EFE37A4AF46308F484658FD565B192DB39AD05DB60
                                                                                                                                                                              Function 007C0844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 007C147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C040D,?,?), ref: 007C1491
                                                                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C091D
                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C095D
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007C0980
                                                                                                                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007C09A9
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 007C09EC
                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 007C09F9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4046560759-0
                                                                                                                                                                              • Opcode ID: 185d926c6ce4d45ba8c1c964b13fe3b3287905642b5f1fc388a26359c7fddfb3
                                                                                                                                                                              • Instruction ID: 289973c74ea9aece773898951896fbce3c1a2c2459a6a9a47a8edf3baa752d59
                                                                                                                                                                              • Opcode Fuzzy Hash: 185d926c6ce4d45ba8c1c964b13fe3b3287905642b5f1fc388a26359c7fddfb3
                                                                                                                                                                              • Instruction Fuzzy Hash: 33515731208204EFD714EB64C889F6ABBA9FF85314F44491DF985872A2DB79E905CB92
                                                                                                                                                                              Function 0079F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 0079F6A2
                                                                                                                                                                              • VariantClear.OLEAUT32(00000013), ref: 0079F714
                                                                                                                                                                              • VariantClear.OLEAUT32(00000000), ref: 0079F76F
                                                                                                                                                                              • _memmove.LIBCMT ref: 0079F799
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 0079F7E6
                                                                                                                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0079F814
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1101466143-0
                                                                                                                                                                              • Opcode ID: ef37cb2111ab22ef18a571b49ff57c84782902d3ad29045521adf8fa711085c6
                                                                                                                                                                              • Instruction ID: bba91117b05d3bb9d9e5ad80051814b59ef2b6833768c7ac51a35151f43497ba
                                                                                                                                                                              • Opcode Fuzzy Hash: ef37cb2111ab22ef18a571b49ff57c84782902d3ad29045521adf8fa711085c6
                                                                                                                                                                              • Instruction Fuzzy Hash: E85146B5A00209EFCB14CF58D884EAAB7B8FF48354B15856AED59DB310E734E911CBA0
                                                                                                                                                                              Function 007A29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007A29FF
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A2A4A
                                                                                                                                                                              • IsMenu.USER32(00000000), ref: 007A2A6A
                                                                                                                                                                              • CreatePopupMenu.USER32 ref: 007A2A9E
                                                                                                                                                                              • GetMenuItemCount.USER32(000000FF), ref: 007A2AFC
                                                                                                                                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007A2B2D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3311875123-0
                                                                                                                                                                              • Opcode ID: c45bf09c144b69c6e83231769b6ba4ba961f0cab8d1efa2d60c5e4fd77d3f290
                                                                                                                                                                              • Instruction ID: 6830e8fe1b447224daccc7cd58469090aa1d53fa2538f80afb241dc0aa46cd76
                                                                                                                                                                              • Opcode Fuzzy Hash: c45bf09c144b69c6e83231769b6ba4ba961f0cab8d1efa2d60c5e4fd77d3f290
                                                                                                                                                                              • Instruction Fuzzy Hash: 3651C470600349DFCF25CF6CD888B9EBBF4AF86314F108219E811972A2E7789946CB61
                                                                                                                                                                              Function 00741B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00741B76
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 00741BDA
                                                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 00741BF7
                                                                                                                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00741C08
                                                                                                                                                                              • EndPaint.USER32(?,?), ref: 00741C52
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1827037458-0
                                                                                                                                                                              • Opcode ID: 44cf12cdff3e97a8f533a8ce1701ddc69e70bc88c7d40efc47c92e23230c1ce4
                                                                                                                                                                              • Instruction ID: 3d5f2011038b8907b289847073b283fbe9950e66b6bbe9dc143d634032819932
                                                                                                                                                                              • Opcode Fuzzy Hash: 44cf12cdff3e97a8f533a8ce1701ddc69e70bc88c7d40efc47c92e23230c1ce4
                                                                                                                                                                              • Instruction Fuzzy Hash: 75419F70604200EFD711EF24CC88FBA7BF8FB45364F144669F9A9862B1C739A885DB65
                                                                                                                                                                              Function 007CBD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ShowWindow.USER32(008077B0,00000000,019A8840,?,?,008077B0,?,007CBC1A,?,?), ref: 007CBD84
                                                                                                                                                                              • EnableWindow.USER32(?,00000000), ref: 007CBDA8
                                                                                                                                                                              • ShowWindow.USER32(008077B0,00000000,019A8840,?,?,008077B0,?,007CBC1A,?,?), ref: 007CBE08
                                                                                                                                                                              • ShowWindow.USER32(?,00000004,?,007CBC1A,?,?), ref: 007CBE1A
                                                                                                                                                                              • EnableWindow.USER32(?,00000001), ref: 007CBE3E
                                                                                                                                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 007CBE61
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 642888154-0
                                                                                                                                                                              • Opcode ID: 54904cda0fd3d1b13c7d1f4a8c961ce122f44347d40d6788f6fcd9d9a6cb28f8
                                                                                                                                                                              • Instruction ID: e6e58fd706c30e5e0688dffe619c72965a5ef65a50218ce044d70a16ca07509f
                                                                                                                                                                              • Opcode Fuzzy Hash: 54904cda0fd3d1b13c7d1f4a8c961ce122f44347d40d6788f6fcd9d9a6cb28f8
                                                                                                                                                                              • Instruction Fuzzy Hash: A3414934601145AFDB22CF68C48AF957BF1FF05714F1881ADFA498F2A2C739A845CBA1
                                                                                                                                                                              Function 007B7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,007B550C,?,?,00000000,00000001), ref: 007B7796
                                                                                                                                                                                • Part of subcall function 007B406C: GetWindowRect.USER32(?,?), ref: 007B407F
                                                                                                                                                                              • GetDesktopWindow.USER32 ref: 007B77C0
                                                                                                                                                                              • GetWindowRect.USER32(00000000), ref: 007B77C7
                                                                                                                                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007B77F9
                                                                                                                                                                                • Part of subcall function 007A57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A5877
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 007B7825
                                                                                                                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007B7883
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4137160315-0
                                                                                                                                                                              • Opcode ID: 40260ba207e8da690c190b196aa93432a5e07ff3d93c068a6f231ad920df2780
                                                                                                                                                                              • Instruction ID: 9a6aab5f192be60f8bcdb86844fd424c664c52e2e547c78adee56a0b9c63924d
                                                                                                                                                                              • Opcode Fuzzy Hash: 40260ba207e8da690c190b196aa93432a5e07ff3d93c068a6f231ad920df2780
                                                                                                                                                                              • Instruction Fuzzy Hash: EF31B272509305ABD724DF14D849F9BB7EAFFC8314F00491AF585A7191CA38E918CBD6
                                                                                                                                                                              Function 00799431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00798CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00798CDE
                                                                                                                                                                                • Part of subcall function 00798CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00798CE8
                                                                                                                                                                                • Part of subcall function 00798CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00798CF7
                                                                                                                                                                                • Part of subcall function 00798CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00798CFE
                                                                                                                                                                                • Part of subcall function 00798CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00798D14
                                                                                                                                                                              • GetLengthSid.ADVAPI32(?,00000000,0079904D), ref: 00799482
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0079948E
                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00799495
                                                                                                                                                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 007994AE
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,0079904D), ref: 007994C2
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 007994C9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3008561057-0
                                                                                                                                                                              • Opcode ID: 69a9569812fee9dcd1f4568c80347dfd38d1f72c3c8bebba0a08aee78683fe11
                                                                                                                                                                              • Instruction ID: e53818728fa4a068d4a406f8aa3cd31b5af3a9f68453a3b89bd6a98d9ec2e083
                                                                                                                                                                              • Opcode Fuzzy Hash: 69a9569812fee9dcd1f4568c80347dfd38d1f72c3c8bebba0a08aee78683fe11
                                                                                                                                                                              • Instruction Fuzzy Hash: 16118C71501608EBEF119BA8EC09BAF7BB9EB45316F108059E98597220D73A99018BA0
                                                                                                                                                                              Function 007991CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00799200
                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00799207
                                                                                                                                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00799216
                                                                                                                                                                              • CloseHandle.KERNEL32(00000004), ref: 00799221
                                                                                                                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00799250
                                                                                                                                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00799264
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1413079979-0
                                                                                                                                                                              • Opcode ID: 23adaa041061b23a084c1882a3893e77f38eb1b2e292ea1df6c02f6ac006609b
                                                                                                                                                                              • Instruction ID: 698418738566356d049fbabc0616f238972b2e5d9da0fbde28080d26d9642654
                                                                                                                                                                              • Opcode Fuzzy Hash: 23adaa041061b23a084c1882a3893e77f38eb1b2e292ea1df6c02f6ac006609b
                                                                                                                                                                              • Instruction Fuzzy Hash: 99114A7250120EBBEF018F98ED49BDE7BB9FB08304F048019FA04A2160D2799D60DBA0
                                                                                                                                                                              Function 0079C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDC.USER32(00000000), ref: 0079C34E
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0079C35F
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0079C366
                                                                                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0079C36E
                                                                                                                                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0079C385
                                                                                                                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0079C397
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CapsDevice$Release
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1035833867-0
                                                                                                                                                                              • Opcode ID: fb989c437ad7c349e8adb3017f46d985f35fc992989e6c6e2a60141a77ab3e57
                                                                                                                                                                              • Instruction ID: 7e374f42eb7f6815826c48a77d48d51f3157cd03e79b2f886d4df2301e45a137
                                                                                                                                                                              • Opcode Fuzzy Hash: fb989c437ad7c349e8adb3017f46d985f35fc992989e6c6e2a60141a77ab3e57
                                                                                                                                                                              • Instruction Fuzzy Hash: CD016775E01318BBEF109BB59C49B5EBFB8EF48751F008066FA04AB280D6759D10CFA5
                                                                                                                                                                              Function 007CC552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007416CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00741729
                                                                                                                                                                                • Part of subcall function 007416CF: SelectObject.GDI32(?,00000000), ref: 00741738
                                                                                                                                                                                • Part of subcall function 007416CF: BeginPath.GDI32(?), ref: 0074174F
                                                                                                                                                                                • Part of subcall function 007416CF: SelectObject.GDI32(?,00000000), ref: 00741778
                                                                                                                                                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 007CC57C
                                                                                                                                                                              • LineTo.GDI32(00000000,00000003,?), ref: 007CC590
                                                                                                                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007CC59E
                                                                                                                                                                              • LineTo.GDI32(00000000,00000000,?), ref: 007CC5AE
                                                                                                                                                                              • EndPath.GDI32(00000000), ref: 007CC5BE
                                                                                                                                                                              • StrokePath.GDI32(00000000), ref: 007CC5CE
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 43455801-0
                                                                                                                                                                              • Opcode ID: cdcbfc4ec155c2af08fcca6d1a500ad631c7000520cbeebeac0468ddf5468c87
                                                                                                                                                                              • Instruction ID: fc8217c057bda61eca2dd1e31313c927b536d25dd860a6b26ccbf0e078454dd7
                                                                                                                                                                              • Opcode Fuzzy Hash: cdcbfc4ec155c2af08fcca6d1a500ad631c7000520cbeebeac0468ddf5468c87
                                                                                                                                                                              • Instruction Fuzzy Hash: FA11097240010DBFDB029F90DC88FAA7FADFB08354F048026FA585A160D775AE55DBA4
                                                                                                                                                                              Function 007607BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007607EC
                                                                                                                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 007607F4
                                                                                                                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007607FF
                                                                                                                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0076080A
                                                                                                                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00760812
                                                                                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0076081A
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Virtual
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4278518827-0
                                                                                                                                                                              • Opcode ID: 518fbe4bf0c0b3c3ae8a48f394d5b31ad38cd4ea1db486fb76b934590865b5d5
                                                                                                                                                                              • Instruction ID: 2d05aa6df9a8c931014dae1fb397dd0d40fe42c6b419b4a4ea83212fc593d18e
                                                                                                                                                                              • Opcode Fuzzy Hash: 518fbe4bf0c0b3c3ae8a48f394d5b31ad38cd4ea1db486fb76b934590865b5d5
                                                                                                                                                                              • Instruction Fuzzy Hash: 0E016CB0902759BDE3008F5A8C85B52FFB8FF59354F00411BA15C47941C7F5A864CBE5
                                                                                                                                                                              Function 007A59A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007A59B4
                                                                                                                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007A59CA
                                                                                                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 007A59D9
                                                                                                                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A59E8
                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A59F2
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A59F9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 839392675-0
                                                                                                                                                                              • Opcode ID: d960e86124d79cc627f0748f90189ee502200ded22ee6650a189be47c501f62d
                                                                                                                                                                              • Instruction ID: 771f2705ae9998e991008b691579be74161b1eeed8e1cc19ca8f90f0cd0a3b8d
                                                                                                                                                                              • Opcode Fuzzy Hash: d960e86124d79cc627f0748f90189ee502200ded22ee6650a189be47c501f62d
                                                                                                                                                                              • Instruction Fuzzy Hash: CCF01D36242158BBE7215B929C0DFEF7F7CEBC7B11F00415AFA0591050D7A95A1186F9
                                                                                                                                                                              Function 007A77EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 007A77FE
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,0074C2B6,?,?), ref: 007A780F
                                                                                                                                                                              • TerminateThread.KERNEL32(00000000,000001F6,?,0074C2B6,?,?), ref: 007A781C
                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,0074C2B6,?,?), ref: 007A7829
                                                                                                                                                                                • Part of subcall function 007A71F0: CloseHandle.KERNEL32(00000000,?,007A7836,?,0074C2B6,?,?), ref: 007A71FA
                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 007A783C
                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,0074C2B6,?,?), ref: 007A7843
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3495660284-0
                                                                                                                                                                              • Opcode ID: 40d3e77d546685363844045f9b49428ddc28a86eb3590c71df759de66c091d36
                                                                                                                                                                              • Instruction ID: 99aa663a4d3d7b5fcdf5a0923a65ecc20e0a5c700e2f37589e45eca8db2e161a
                                                                                                                                                                              • Opcode Fuzzy Hash: 40d3e77d546685363844045f9b49428ddc28a86eb3590c71df759de66c091d36
                                                                                                                                                                              • Instruction Fuzzy Hash: 43F05E36147212AFD7152B64EC8DBAF7779FF86302F54A526F202950A0CBBD6801CBA4
                                                                                                                                                                              Function 0079954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00799555
                                                                                                                                                                              • UnloadUserProfile.USERENV(?,?), ref: 00799561
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0079956A
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00799572
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 0079957B
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 00799582
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 146765662-0
                                                                                                                                                                              • Opcode ID: 3b55c670f155db47a672efbc58bee215bd10eeb4f54745f224078fd97273bec4
                                                                                                                                                                              • Instruction ID: 95659e0571b44dda0d487f1538d4fa79740eb201d8d1b35dcdf280d0e027b682
                                                                                                                                                                              • Opcode Fuzzy Hash: 3b55c670f155db47a672efbc58bee215bd10eeb4f54745f224078fd97273bec4
                                                                                                                                                                              • Instruction Fuzzy Hash: 03E0E536105105FBDB012FE1EC0CA5ABF39FF89722F509222F21581070CB3AA860DB98
                                                                                                                                                                              Function 007B8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 007B8CFD
                                                                                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 007B8E0C
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 007B8F84
                                                                                                                                                                                • Part of subcall function 007A7B1D: VariantInit.OLEAUT32(00000000), ref: 007A7B5D
                                                                                                                                                                                • Part of subcall function 007A7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 007A7B66
                                                                                                                                                                                • Part of subcall function 007A7B1D: VariantClear.OLEAUT32(00000000), ref: 007A7B72
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                                              • API String ID: 4237274167-1221869570
                                                                                                                                                                              • Opcode ID: d930703e91b4b59ebecf9c251c14976a46e0944dc09b8515636bb0afacc40d9d
                                                                                                                                                                              • Instruction ID: 6e3269b8e98c5cce30868ba569ecdd085af8b47b501d3d7c5973431a29e27838
                                                                                                                                                                              • Opcode Fuzzy Hash: d930703e91b4b59ebecf9c251c14976a46e0944dc09b8515636bb0afacc40d9d
                                                                                                                                                                              • Instruction Fuzzy Hash: 0F917E74604301DFC750DF24C484A9AB7F9EF89314F14896EF9998B361DB39E905CB92
                                                                                                                                                                              Function 007A323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0075436A: _wcscpy.LIBCMT ref: 0075438D
                                                                                                                                                                              • _memset.LIBCMT ref: 007A332E
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A335D
                                                                                                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A3410
                                                                                                                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007A343E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 4152858687-4108050209
                                                                                                                                                                              • Opcode ID: d2ff4204887d0767f233cd305cabb4dab9ae4aa355eb5efb0b45ace84f98f78f
                                                                                                                                                                              • Instruction ID: 3c868c2d3fcc0b27978b8b6a4b1674e6563d873bed8891dafb4cec4756e8d5aa
                                                                                                                                                                              • Opcode Fuzzy Hash: d2ff4204887d0767f233cd305cabb4dab9ae4aa355eb5efb0b45ace84f98f78f
                                                                                                                                                                              • Instruction Fuzzy Hash: C351B0316083419BD7159F28D849B7BBBE4AF8A360F044B2DF895D31E1DB68DE44C752
                                                                                                                                                                              Function 007A2EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007A2F67
                                                                                                                                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007A2F83
                                                                                                                                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 007A2FC9
                                                                                                                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00807890,00000000), ref: 007A3012
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 1173514356-4108050209
                                                                                                                                                                              • Opcode ID: cd2fda0216ea8b27144471d72b9db2cc596f988412d264d408d56b2d497127a8
                                                                                                                                                                              • Instruction ID: c5c3737c16c5857f664e7844cf7001b791fac03e6596f644b6a3eeff9a99ebf4
                                                                                                                                                                              • Opcode Fuzzy Hash: cd2fda0216ea8b27144471d72b9db2cc596f988412d264d408d56b2d497127a8
                                                                                                                                                                              • Instruction Fuzzy Hash: 3941B1712043419FD724DF28C888B5BBBE5AFC6310F144B1EF96697292D778EA05CB62
                                                                                                                                                                              Function 00799A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 0079B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0079B7BD
                                                                                                                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00799ACC
                                                                                                                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00799ADF
                                                                                                                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00799B0F
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$_memmove$ClassName
                                                                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                                                                              • API String ID: 365058703-1403004172
                                                                                                                                                                              • Opcode ID: 27c59cd3cb8d024dbd315c5d23da61a3918effc3dcefc233af54c9a823436c58
                                                                                                                                                                              • Instruction ID: 31172e665803230fbbf3c3e45e01bde3a8c873d93f69945873e5839bf13a4996
                                                                                                                                                                              • Opcode Fuzzy Hash: 27c59cd3cb8d024dbd315c5d23da61a3918effc3dcefc233af54c9a823436c58
                                                                                                                                                                              • Instruction Fuzzy Hash: 962101B1901108BEEF24EBB4EC4AEFEB778DF41360F50821AF925932D0DB3D49098660
                                                                                                                                                                              Function 007C6A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00742111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0074214F
                                                                                                                                                                                • Part of subcall function 00742111: GetStockObject.GDI32(00000011), ref: 00742163
                                                                                                                                                                                • Part of subcall function 00742111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0074216D
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007C6A86
                                                                                                                                                                              • LoadLibraryW.KERNEL32(?), ref: 007C6A8D
                                                                                                                                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007C6AA2
                                                                                                                                                                              • DestroyWindow.USER32(?), ref: 007C6AAA
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                                                                              • String ID: SysAnimate32
                                                                                                                                                                              • API String ID: 4146253029-1011021900
                                                                                                                                                                              • Opcode ID: 2a5502d131da54385d2534f98190332d0b052c5ec4973c794190324050e6d9e8
                                                                                                                                                                              • Instruction ID: f737034179b266a27f753605b43c680c2724fcd14b5543bc063c55ebfc4430e7
                                                                                                                                                                              • Opcode Fuzzy Hash: 2a5502d131da54385d2534f98190332d0b052c5ec4973c794190324050e6d9e8
                                                                                                                                                                              • Instruction Fuzzy Hash: 64218871200209AFEF108EA49C80FBF77ADEB99324F10D62DFE50A2190D739DC5197A4
                                                                                                                                                                              Function 007A7357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 007A7377
                                                                                                                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007A73AA
                                                                                                                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 007A73BC
                                                                                                                                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007A73F6
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateHandle$FilePipe
                                                                                                                                                                              • String ID: nul
                                                                                                                                                                              • API String ID: 4209266947-2873401336
                                                                                                                                                                              • Opcode ID: 3e567bdfe60f3fa918140fa2bdec631050a3e17aca6b49555c6d6347850b185f
                                                                                                                                                                              • Instruction ID: 34acdb3a7277b344de91b8d1402a9cfb56e02932e941f03bf4598f203c57596c
                                                                                                                                                                              • Opcode Fuzzy Hash: 3e567bdfe60f3fa918140fa2bdec631050a3e17aca6b49555c6d6347850b185f
                                                                                                                                                                              • Instruction Fuzzy Hash: C321A17050834AABDF248F68DC48B9A7BB4BF86721F204B29FCA1D72D0D7749850DB90
                                                                                                                                                                              Function 007A7425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 007A7444
                                                                                                                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007A7476
                                                                                                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 007A7487
                                                                                                                                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007A74C1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateHandle$FilePipe
                                                                                                                                                                              • String ID: nul
                                                                                                                                                                              • API String ID: 4209266947-2873401336
                                                                                                                                                                              • Opcode ID: d79b05910c87fabf671e9b6a68bdf77d60a5c271108de15c0daa32c9ed56c59e
                                                                                                                                                                              • Instruction ID: f9570c712d8bd31d21b18088387323ac11f2030a09666e2984f2f603ee4f0028
                                                                                                                                                                              • Opcode Fuzzy Hash: d79b05910c87fabf671e9b6a68bdf77d60a5c271108de15c0daa32c9ed56c59e
                                                                                                                                                                              • Instruction Fuzzy Hash: 2521B0756082469BDB249F688C48B9A7BB8AF8A720F204B19FDA0D72D0DB749C40CB50
                                                                                                                                                                              Function 007AB283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 007AB297
                                                                                                                                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007AB2EB
                                                                                                                                                                              • __swprintf.LIBCMT ref: 007AB304
                                                                                                                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,007D0980), ref: 007AB342
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                                                              • String ID: %lu
                                                                                                                                                                              • API String ID: 3164766367-685833217
                                                                                                                                                                              • Opcode ID: bc64cc89081f268acbfaae83d245202fb35f504aa1689c8c15efad6b0b2c5ae3
                                                                                                                                                                              • Instruction ID: 1d9067abde1ea60069e27d789e538b0a98895a3f32daf90c4e2148b3703f4a15
                                                                                                                                                                              • Opcode Fuzzy Hash: bc64cc89081f268acbfaae83d245202fb35f504aa1689c8c15efad6b0b2c5ae3
                                                                                                                                                                              • Instruction Fuzzy Hash: 69214174A00109EFCB10DF65CC49EAEB7B8EF89704F108069F909D7252DB75EA45DB61
                                                                                                                                                                              Function 0079AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751821: _memmove.LIBCMT ref: 0075185B
                                                                                                                                                                                • Part of subcall function 0079AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0079AA6F
                                                                                                                                                                                • Part of subcall function 0079AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0079AA82
                                                                                                                                                                                • Part of subcall function 0079AA52: GetCurrentThreadId.KERNEL32 ref: 0079AA89
                                                                                                                                                                                • Part of subcall function 0079AA52: AttachThreadInput.USER32(00000000), ref: 0079AA90
                                                                                                                                                                              • GetFocus.USER32 ref: 0079AC2A
                                                                                                                                                                                • Part of subcall function 0079AA9B: GetParent.USER32(?), ref: 0079AAA9
                                                                                                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0079AC73
                                                                                                                                                                              • EnumChildWindows.USER32(?,0079ACEB), ref: 0079AC9B
                                                                                                                                                                              • __swprintf.LIBCMT ref: 0079ACB5
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                                                                                                              • String ID: %s%d
                                                                                                                                                                              • API String ID: 1941087503-1110647743
                                                                                                                                                                              • Opcode ID: 6b6337ac9ca873ae893342ccb3334570f444c2111cebd322d44328c961d717ce
                                                                                                                                                                              • Instruction ID: 9aac3fa9556a89c9df2e6d8051b4d565df6148627fee14b131e93e40a0db1b3b
                                                                                                                                                                              • Opcode Fuzzy Hash: 6b6337ac9ca873ae893342ccb3334570f444c2111cebd322d44328c961d717ce
                                                                                                                                                                              • Instruction Fuzzy Hash: 2211D574201205BBCF11BFA0AD89FEE377CEB44310F008075FE089A142CA796945DBB5
                                                                                                                                                                              Function 007A22E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 007A2318
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharUpper
                                                                                                                                                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                                                                              • API String ID: 3964851224-769500911
                                                                                                                                                                              • Opcode ID: 660dbc2ac5495c96f41b1ae5defe31d6d63956278e94936e12dd31995b11ac9d
                                                                                                                                                                              • Instruction ID: 9082927f29385d3b7fa6ae4685cfcf24207f58e086be3ffe30142252c34a229f
                                                                                                                                                                              • Opcode Fuzzy Hash: 660dbc2ac5495c96f41b1ae5defe31d6d63956278e94936e12dd31995b11ac9d
                                                                                                                                                                              • Instruction Fuzzy Hash: 19117C3090011CDBCF00EFA4C8545FEB3B4FF56304B5081A9D811A7252EB3A5D0ACB90
                                                                                                                                                                              Function 007BF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007BF2F0
                                                                                                                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 007BF320
                                                                                                                                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007BF453
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 007BF4D4
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2364364464-0
                                                                                                                                                                              • Opcode ID: b05f290b04ab1600c54771393e457602d851dacc953600269ba63f44e3e1ab26
                                                                                                                                                                              • Instruction ID: 90b8afdab49cba1d092a8f5ef002151f1dfc422e27cfdc6c3c9e4c5faf78ed06
                                                                                                                                                                              • Opcode Fuzzy Hash: b05f290b04ab1600c54771393e457602d851dacc953600269ba63f44e3e1ab26
                                                                                                                                                                              • Instruction Fuzzy Hash: C38162756047009FD720EF28DC86F6AB7E5AF44B10F14891DF999DB292D7B8AC408F91
                                                                                                                                                                              Function 007C0697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 007C147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007C040D,?,?), ref: 007C1491
                                                                                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C075D
                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C079C
                                                                                                                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007C07E3
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 007C080F
                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 007C081C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3440857362-0
                                                                                                                                                                              • Opcode ID: 7d5e355d43ce648266e919cd471387983cbd2f032e81f8e84bc66e6c74fe40ce
                                                                                                                                                                              • Instruction ID: ca238020865166f7cb0c7256fc13c0564a2d60446aef3b37fade1f0f8cacdda5
                                                                                                                                                                              • Opcode Fuzzy Hash: 7d5e355d43ce648266e919cd471387983cbd2f032e81f8e84bc66e6c74fe40ce
                                                                                                                                                                              • Instruction Fuzzy Hash: BD515A71208204EFD704EF64C885F6AB7E9FF84705F44891DF995872A2DB79E908CB92
                                                                                                                                                                              Function 007AEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007AEC62
                                                                                                                                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007AEC8B
                                                                                                                                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007AECCA
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007AECEF
                                                                                                                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007AECF7
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1389676194-0
                                                                                                                                                                              • Opcode ID: 63d230686b65502142b28bc3839ea0ab16cb26ab106d353bf77e6df71404ed13
                                                                                                                                                                              • Instruction ID: 6047cff7ea97c0d7d89c2341a52fc0aeecd0bd5d2847956479b33a001d937627
                                                                                                                                                                              • Opcode Fuzzy Hash: 63d230686b65502142b28bc3839ea0ab16cb26ab106d353bf77e6df71404ed13
                                                                                                                                                                              • Instruction Fuzzy Hash: DE512C35A00105DFCB01EF64C989AAEBBF5FF49314B148099E949AB361CB39ED51DFA0
                                                                                                                                                                              Function 007CA67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 4d9a9607897ef5c2f9e774a40d5b861684dca4d6afe0ce7a33c352ccf2eab3c3
                                                                                                                                                                              • Instruction ID: de1643128eefca8b2b2978dac9e3dfe3c7fc977d2637e23658aa3be4f8d2a9fa
                                                                                                                                                                              • Opcode Fuzzy Hash: 4d9a9607897ef5c2f9e774a40d5b861684dca4d6afe0ce7a33c352ccf2eab3c3
                                                                                                                                                                              • Instruction Fuzzy Hash: BF41D235900118BFD710DB28CC88FA9BBB8FB09326F14426DF916A72D1C778AD51DA91
                                                                                                                                                                              Function 00742714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 00742727
                                                                                                                                                                              • ScreenToClient.USER32(008077B0,?), ref: 00742744
                                                                                                                                                                              • GetAsyncKeyState.USER32(00000001), ref: 00742769
                                                                                                                                                                              • GetAsyncKeyState.USER32(00000002), ref: 00742777
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4210589936-0
                                                                                                                                                                              • Opcode ID: 823cf0915fc286ca63056d638d5eba0ec0232e62ad211d73849b163ca0c71b64
                                                                                                                                                                              • Instruction ID: daae11c2114f64e26e015ebc70b15f1e99582ec7a0a1d272d5cb79696f424587
                                                                                                                                                                              • Opcode Fuzzy Hash: 823cf0915fc286ca63056d638d5eba0ec0232e62ad211d73849b163ca0c71b64
                                                                                                                                                                              • Instruction Fuzzy Hash: 5F418235504109FFDF169F68C848FE9BB74FB09364F50831AF928A6291CB38AD60DB91
                                                                                                                                                                              Function 007995D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 007995E8
                                                                                                                                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00799692
                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0079969A
                                                                                                                                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 007996A8
                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007996B0
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessagePostSleep$RectWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3382505437-0
                                                                                                                                                                              • Opcode ID: 68d2852f89d84571c93361a92edf8fc77fbeec6206c28389c5bc0277ee3b92ec
                                                                                                                                                                              • Instruction ID: 42623b83532d1a488a64135c0e3279a903aa7f82fb7adf5e62d87cda78d6b4f3
                                                                                                                                                                              • Opcode Fuzzy Hash: 68d2852f89d84571c93361a92edf8fc77fbeec6206c28389c5bc0277ee3b92ec
                                                                                                                                                                              • Instruction Fuzzy Hash: C731BC71900219EBEF14CF6CE94CB9E7BB5EB44315F108259FA24AA2D0C3B8D924DB90
                                                                                                                                                                              Function 007CB7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 007CB804
                                                                                                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007CB829
                                                                                                                                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007CB841
                                                                                                                                                                              • GetSystemMetrics.USER32(00000004), ref: 007CB86A
                                                                                                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007B155C,00000000), ref: 007CB888
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$Long$MetricsSystem
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2294984445-0
                                                                                                                                                                              • Opcode ID: 52240323e32978722ab29d9183a125143e41d10ca81fb282e921d7c351e75fd8
                                                                                                                                                                              • Instruction ID: 82503a8065cbdd4443998d9ac68a5eec71bbe31757d3f9edea4461d7ac865c69
                                                                                                                                                                              • Opcode Fuzzy Hash: 52240323e32978722ab29d9183a125143e41d10ca81fb282e921d7c351e75fd8
                                                                                                                                                                              • Instruction Fuzzy Hash: 0A215A71A14255AFCB249F389C09F6A3BA8FB05724F15873DF926D62E0E7349860CAD0
                                                                                                                                                                              Function 007B6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • IsWindow.USER32(00000000), ref: 007B6159
                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 007B6170
                                                                                                                                                                              • GetDC.USER32(00000000), ref: 007B61AC
                                                                                                                                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 007B61B8
                                                                                                                                                                              • ReleaseDC.USER32(00000000,00000003), ref: 007B61F3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$ForegroundPixelRelease
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4156661090-0
                                                                                                                                                                              • Opcode ID: b216153b84a9d976094ae17b76c26a43909efa22408d7cadd7b5e0f49a2bf2d4
                                                                                                                                                                              • Instruction ID: 39b5d2f9dcbf162ea5030288dd09cf7bb9319b3275c11a3c21481cca47b6f341
                                                                                                                                                                              • Opcode Fuzzy Hash: b216153b84a9d976094ae17b76c26a43909efa22408d7cadd7b5e0f49a2bf2d4
                                                                                                                                                                              • Instruction Fuzzy Hash: 17215375A01104DFD714EF65DD88BAAB7F9EF89310F048469E94997252CB38AC00DB90
                                                                                                                                                                              Function 007416CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00741729
                                                                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00741738
                                                                                                                                                                              • BeginPath.GDI32(?), ref: 0074174F
                                                                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 00741778
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3225163088-0
                                                                                                                                                                              • Opcode ID: 2d5e206bbf6a75004dd89ceeedf27995b4016873be5b8e571a16f40ea975bd82
                                                                                                                                                                              • Instruction ID: 304545256378af9d9e643f35004ec66d49852f539b0654b793fd076ed211a002
                                                                                                                                                                              • Opcode Fuzzy Hash: 2d5e206bbf6a75004dd89ceeedf27995b4016873be5b8e571a16f40ea975bd82
                                                                                                                                                                              • Instruction Fuzzy Hash: 46217C30A05208EBDB51AF24DD48B697BB9FB00321F54C226F825962B0D779E991CF99
                                                                                                                                                                              Function 0079C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memcmp
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2931989736-0
                                                                                                                                                                              • Opcode ID: 8dc68f7ddf906ccb3227e4e40b83aeefb54d75e7ce95a96d6b3b7fcea6f3fe37
                                                                                                                                                                              • Instruction ID: f0229d23d7f305c255f3a031b21dd6e8c1c34b64d224aa59d55c0d2a0f01ba1d
                                                                                                                                                                              • Opcode Fuzzy Hash: 8dc68f7ddf906ccb3227e4e40b83aeefb54d75e7ce95a96d6b3b7fcea6f3fe37
                                                                                                                                                                              • Instruction Fuzzy Hash: 0D01B5A2A401057BDE15A511AD8AFBB736C9B60384F084026FE0796741EBACDE2182E1
                                                                                                                                                                              Function 007A504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 007A5075
                                                                                                                                                                              • __beginthreadex.LIBCMT ref: 007A5093
                                                                                                                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 007A50A8
                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007A50BE
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007A50C5
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3824534824-0
                                                                                                                                                                              • Opcode ID: fb031f937b530cc14c48d6ea4f771905f26fd6f7e46eb11a607ee745b12a40ca
                                                                                                                                                                              • Instruction ID: 74803fbb7221b2b4e42b62ca458cd715f75897f885bea432e69827034329fa59
                                                                                                                                                                              • Opcode Fuzzy Hash: fb031f937b530cc14c48d6ea4f771905f26fd6f7e46eb11a607ee745b12a40ca
                                                                                                                                                                              • Instruction Fuzzy Hash: EB1104B6D09618BFC7419BA89C08B9F7FACEB86320F14435AF915D3350D67A990087F1
                                                                                                                                                                              Function 00798E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00798E3C
                                                                                                                                                                              • GetLastError.KERNEL32(?,00798900,?,?,?), ref: 00798E46
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00798900,?,?,?), ref: 00798E55
                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,00798900,?,?,?), ref: 00798E5C
                                                                                                                                                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00798E73
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 842720411-0
                                                                                                                                                                              • Opcode ID: db746e91f0ccf93be8ccbfab519e9edb3339a8aee1aeb3e6ef0430d33d586e2a
                                                                                                                                                                              • Instruction ID: 43c16aa50042919a8f6bc0561fbddd323fe0f6ff64514fec5bfcd58a2fd7eb21
                                                                                                                                                                              • Opcode Fuzzy Hash: db746e91f0ccf93be8ccbfab519e9edb3339a8aee1aeb3e6ef0430d33d586e2a
                                                                                                                                                                              • Instruction Fuzzy Hash: DC011271601244BFDB104FA5EC58E6B7FBDEF86755B10456AF845C2210DA35DC10CAA5
                                                                                                                                                                              Function 00797D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00797C62,80070057,?,?,?,00798073), ref: 00797D45
                                                                                                                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00797C62,80070057,?,?), ref: 00797D60
                                                                                                                                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00797C62,80070057,?,?), ref: 00797D6E
                                                                                                                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00797C62,80070057,?), ref: 00797D7E
                                                                                                                                                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00797C62,80070057,?,?), ref: 00797D8A
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3897988419-0
                                                                                                                                                                              • Opcode ID: d784da85073896458cebf899c848dca6ef72b0811fc3851dafed2820b3957667
                                                                                                                                                                              • Instruction ID: 41d7464893c1ce6bc54e7778061a72ec749b5fffc639e2d7060ec1bd9fef9b07
                                                                                                                                                                              • Opcode Fuzzy Hash: d784da85073896458cebf899c848dca6ef72b0811fc3851dafed2820b3957667
                                                                                                                                                                              • Instruction Fuzzy Hash: 22017C72716214ABDB154F64EC44BAA7BBDEF44762F149029F908D6210E779ED00EBE0
                                                                                                                                                                              Function 00798CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00798CDE
                                                                                                                                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00798CE8
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00798CF7
                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00798CFE
                                                                                                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00798D14
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 44706859-0
                                                                                                                                                                              • Opcode ID: 75e262e871915c4fb67389c1c56c27af0849f15308c7b53650208f42c309786e
                                                                                                                                                                              • Instruction ID: fc12d1f6982eba9aa64cddb282cc025eca1b2c74db90aab266d0eddb36b9a246
                                                                                                                                                                              • Opcode Fuzzy Hash: 75e262e871915c4fb67389c1c56c27af0849f15308c7b53650208f42c309786e
                                                                                                                                                                              • Instruction Fuzzy Hash: DEF08C34301208BFEF100FA4AC8CF6B3BACEF8A754F50802AF94482190CA699C00DBA1
                                                                                                                                                                              Function 00798D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00798D3F
                                                                                                                                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00798D49
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00798D58
                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00798D5F
                                                                                                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00798D75
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 44706859-0
                                                                                                                                                                              • Opcode ID: f86daa2dcf69dec4c83905e2af68875b63cf6b32f5ce4bdbf88992f3709b08e3
                                                                                                                                                                              • Instruction ID: bf24940ee65c5d05a28f8046e409f00b61b3d2faa3e769c70664e8176f63cd1d
                                                                                                                                                                              • Opcode Fuzzy Hash: f86daa2dcf69dec4c83905e2af68875b63cf6b32f5ce4bdbf88992f3709b08e3
                                                                                                                                                                              • Instruction Fuzzy Hash: 38F08C35201204AFEB510FA4EC88F6B3BACEF8A754F44411AF94482190CA699D00DAA1
                                                                                                                                                                              Function 0079CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0079CD90
                                                                                                                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0079CDA7
                                                                                                                                                                              • MessageBeep.USER32(00000000), ref: 0079CDBF
                                                                                                                                                                              • KillTimer.USER32(?,0000040A), ref: 0079CDDB
                                                                                                                                                                              • EndDialog.USER32(?,00000001), ref: 0079CDF5
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3741023627-0
                                                                                                                                                                              • Opcode ID: 8d8721dbd56ffcee82a9e284465c4037fd2ebf9bc3cb1f7efda4bc137b5095b6
                                                                                                                                                                              • Instruction ID: 37f5d737164560f87d517c8c4bb1b563c9557da5714090ba9eaee975d433cd26
                                                                                                                                                                              • Opcode Fuzzy Hash: 8d8721dbd56ffcee82a9e284465c4037fd2ebf9bc3cb1f7efda4bc137b5095b6
                                                                                                                                                                              • Instruction Fuzzy Hash: DA018630641704ABEF215F60ED5EBA67B78FB00715F00466AF582A10E1DBF8A9548BD5
                                                                                                                                                                              Function 0074178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • EndPath.GDI32(?), ref: 0074179B
                                                                                                                                                                              • StrokeAndFillPath.GDI32(?,?,0077BBC9,00000000,?), ref: 007417B7
                                                                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 007417CA
                                                                                                                                                                              • DeleteObject.GDI32 ref: 007417DD
                                                                                                                                                                              • StrokePath.GDI32(?), ref: 007417F8
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2625713937-0
                                                                                                                                                                              • Opcode ID: fdb03c9dc5e2b738cdd39b14e1a07891e537ae9b81212216e891cfe2717c4e0c
                                                                                                                                                                              • Instruction ID: d1fe9f43702f9ceea23db6a0d061fd944058acfc515a2cae8221cda435000b33
                                                                                                                                                                              • Opcode Fuzzy Hash: fdb03c9dc5e2b738cdd39b14e1a07891e537ae9b81212216e891cfe2717c4e0c
                                                                                                                                                                              • Instruction Fuzzy Hash: 41F01930409248BBDB526F25EC0C7683BB4B700326F44C225E469441F0C739A995DF68
                                                                                                                                                                              Function 007AC9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CoInitialize.OLE32(00000000), ref: 007ACA75
                                                                                                                                                                              • CoCreateInstance.OLE32(007D3D3C,00000000,00000001,007D3BAC,?), ref: 007ACA8D
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                              • CoUninitialize.OLE32 ref: 007ACCFA
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                                                                              • String ID: .lnk
                                                                                                                                                                              • API String ID: 2683427295-24824748
                                                                                                                                                                              • Opcode ID: ecb0ca072961d15cc51673b7b9d2c9149095b042622b8e713da438ac1a2dbf39
                                                                                                                                                                              • Instruction ID: 32645165b79b1eb0f9efde7970bec782a924aca9f05b2901322da42a2009f0e4
                                                                                                                                                                              • Opcode Fuzzy Hash: ecb0ca072961d15cc51673b7b9d2c9149095b042622b8e713da438ac1a2dbf39
                                                                                                                                                                              • Instruction Fuzzy Hash: 4CA15BB1204205AFD300EF64C885EABB7ECEF94715F40491DF55597292EBB4EE09CBA2
                                                                                                                                                                              Function 0074E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00760FE6: std::exception::exception.LIBCMT ref: 0076101C
                                                                                                                                                                                • Part of subcall function 00760FE6: __CxxThrowException@8.LIBCMT ref: 00761031
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 00751680: _memmove.LIBCMT ref: 007516DB
                                                                                                                                                                              • __swprintf.LIBCMT ref: 0074E598
                                                                                                                                                                              Strings
                                                                                                                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0074E431
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                                                              • API String ID: 1943609520-557222456
                                                                                                                                                                              • Opcode ID: 6fd3b1d31a945f8fae161d23bb5bd15c49fa4edc81190ed4d73711fdb5d0c875
                                                                                                                                                                              • Instruction ID: aa574bded7a634c914c0d1db3a2524dc0660d85a7bc938de66c49dff375e35a0
                                                                                                                                                                              • Opcode Fuzzy Hash: 6fd3b1d31a945f8fae161d23bb5bd15c49fa4edc81190ed4d73711fdb5d0c875
                                                                                                                                                                              • Instruction Fuzzy Hash: 15919D71208201DFC714FF24C899DAEB7A4FF95711F40491DF886972A1EB68EE48CB92
                                                                                                                                                                              Function 0076523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 007652CD
                                                                                                                                                                                • Part of subcall function 00770320: __87except.LIBCMT ref: 0077035B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorHandling__87except__start
                                                                                                                                                                              • String ID: pow
                                                                                                                                                                              • API String ID: 2905807303-2276729525
                                                                                                                                                                              • Opcode ID: 7468501b000daa791ffa8016e4c80568e181addea6778c4aa2036916581138ae
                                                                                                                                                                              • Instruction ID: 4476fd0eb0060701cdd7d2fdb5268f102331666ea7cd13011d3b75e6143383ee
                                                                                                                                                                              • Opcode Fuzzy Hash: 7468501b000daa791ffa8016e4c80568e181addea6778c4aa2036916581138ae
                                                                                                                                                                              • Instruction Fuzzy Hash: 3B518DA1A09641DBCF117714C91137A3B90AB01B94F34CD59E8CB862E5EE7C8CD4BAD6
                                                                                                                                                                              Function 00760654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: #$+
                                                                                                                                                                              • API String ID: 0-2552117581
                                                                                                                                                                              • Opcode ID: d40e9294e7684dbe3101c594ed40331f00cfe3f39ae28894e9157858fb90f064
                                                                                                                                                                              • Instruction ID: 1d2d46836f6bcb77008207cf33e25797a7a769ac0b3918979b953e796803689f
                                                                                                                                                                              • Opcode Fuzzy Hash: d40e9294e7684dbe3101c594ed40331f00cfe3f39ae28894e9157858fb90f064
                                                                                                                                                                              • Instruction Fuzzy Hash: 4C513375400246CFDF15EF68D844AFA7BA4EF59310F144155EC92AB290D73CAC46CBA0
                                                                                                                                                                              Function 0074E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove$_free
                                                                                                                                                                              • String ID: #Vu
                                                                                                                                                                              • API String ID: 2620147621-163864266
                                                                                                                                                                              • Opcode ID: 11a5ccb48d542ab8b3a802e20fab38151776f45190e42353a1b85b9cbf74efa8
                                                                                                                                                                              • Instruction ID: 3d9a0cb8637c06ec4642d6b4debc67ceef02e6b7541db7c46756c6ad66726f59
                                                                                                                                                                              • Opcode Fuzzy Hash: 11a5ccb48d542ab8b3a802e20fab38151776f45190e42353a1b85b9cbf74efa8
                                                                                                                                                                              • Instruction Fuzzy Hash: D7514AB16087419FDB24CF28C494B6FBBE5FF85324F54892DE98A87251E739E801CB52
                                                                                                                                                                              Function 0075CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memset$_memmove
                                                                                                                                                                              • String ID: ERCP
                                                                                                                                                                              • API String ID: 2532777613-1384759551
                                                                                                                                                                              • Opcode ID: d452bf6cb799d2c8fb4f3600c17fe5b6eab3af12a0d1a27e583da7593937a139
                                                                                                                                                                              • Instruction ID: 6d3abeeb0cc4be75ae135be05f221b9e190ac5c61b97566916c319d42b9049f5
                                                                                                                                                                              • Opcode Fuzzy Hash: d452bf6cb799d2c8fb4f3600c17fe5b6eab3af12a0d1a27e583da7593937a139
                                                                                                                                                                              • Instruction Fuzzy Hash: 2651A371900309DFDB35CF64C8857EABBE4EF04311F14856EE94ADB280E778A999CB40
                                                                                                                                                                              Function 0079A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007A1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00799E4E,?,?,00000034,00000800,?,00000034), ref: 007A1CE5
                                                                                                                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0079A3F7
                                                                                                                                                                                • Part of subcall function 007A1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00799E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 007A1CB0
                                                                                                                                                                                • Part of subcall function 007A1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 007A1C08
                                                                                                                                                                                • Part of subcall function 007A1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00799E12,00000034,?,?,00001004,00000000,00000000), ref: 007A1C18
                                                                                                                                                                                • Part of subcall function 007A1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00799E12,00000034,?,?,00001004,00000000,00000000), ref: 007A1C2E
                                                                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0079A464
                                                                                                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0079A4B1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                              • String ID: @
                                                                                                                                                                              • API String ID: 4150878124-2766056989
                                                                                                                                                                              • Opcode ID: 8ffbb8a5ce2695d60fbc4e74a9c67ed5488925d6d9ad58bcc6975663b21c60ea
                                                                                                                                                                              • Instruction ID: 87ae5fa80727438c8a8231ac2780aa8ee77f3d02987385422196e08e4c955d3e
                                                                                                                                                                              • Opcode Fuzzy Hash: 8ffbb8a5ce2695d60fbc4e74a9c67ed5488925d6d9ad58bcc6975663b21c60ea
                                                                                                                                                                              • Instruction Fuzzy Hash: 2C416A7290121CBFDF10DBA8CD89ADEBBB8EF49300F004195FA45B7190DA746E85CBA1
                                                                                                                                                                              Function 007C79FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007C7A86
                                                                                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007C7A9A
                                                                                                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 007C7ABE
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$Window
                                                                                                                                                                              • String ID: SysMonthCal32
                                                                                                                                                                              • API String ID: 2326795674-1439706946
                                                                                                                                                                              • Opcode ID: 0f21e205722654d9266b5e5ba9139aecf29655d2aabfbbddf08ee6d43eadacaa
                                                                                                                                                                              • Instruction ID: d3dc9e3dd71a2485b7344fcf2f3074a365b7899f60a18ed00b0d0a33b2b03cd7
                                                                                                                                                                              • Opcode Fuzzy Hash: 0f21e205722654d9266b5e5ba9139aecf29655d2aabfbbddf08ee6d43eadacaa
                                                                                                                                                                              • Instruction Fuzzy Hash: E3219F32600218BBDF258F54CC86FEE3B69EB48724F114218FE156B190DAB9A851CBA0
                                                                                                                                                                              Function 007C81B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007C826F
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007C827D
                                                                                                                                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007C8284
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$DestroyWindow
                                                                                                                                                                              • String ID: msctls_updown32
                                                                                                                                                                              • API String ID: 4014797782-2298589950
                                                                                                                                                                              • Opcode ID: db65f00d0d03df5e2b06ec48ea3a536eb03d1b5ece31381a5ad0185d5cd9dc78
                                                                                                                                                                              • Instruction ID: cad18b271b2263e4a47088bd98cced51a5272619f529db311654d00f05bcf2bb
                                                                                                                                                                              • Opcode Fuzzy Hash: db65f00d0d03df5e2b06ec48ea3a536eb03d1b5ece31381a5ad0185d5cd9dc78
                                                                                                                                                                              • Instruction Fuzzy Hash: FD218EB1A04208AFDB50DF54CC89EA737EDFB4A394B08405DFA019B291CB74EC11CBA1
                                                                                                                                                                              Function 007C72D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007C7360
                                                                                                                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007C7370
                                                                                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007C7395
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$MoveWindow
                                                                                                                                                                              • String ID: Listbox
                                                                                                                                                                              • API String ID: 3315199576-2633736733
                                                                                                                                                                              • Opcode ID: cd3d7b06eac62b1f0a5fd624f8df14ca2d310efb4b38afb400fc415bb83d8d9f
                                                                                                                                                                              • Instruction ID: 811382ee1f1349d4364fbe651acd4079bd7d94c007bc15bc1f382dd6b5652319
                                                                                                                                                                              • Opcode Fuzzy Hash: cd3d7b06eac62b1f0a5fd624f8df14ca2d310efb4b38afb400fc415bb83d8d9f
                                                                                                                                                                              • Instruction Fuzzy Hash: C621A132604158ABDF168F54CC45FBF37AAEB89750F01812CF9009B190CA75AC51DBA0
                                                                                                                                                                              Function 007C7D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007C7D97
                                                                                                                                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007C7DAC
                                                                                                                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007C7DB9
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                              • String ID: msctls_trackbar32
                                                                                                                                                                              • API String ID: 3850602802-1010561917
                                                                                                                                                                              • Opcode ID: a8d24db13a7b9ab0891d404f526ae7d7ca1f0d1bccdf024eea430a3b8e99d100
                                                                                                                                                                              • Instruction ID: a55e0a8f1884d270248fa1dc7c43bcc4afb09842c2567fb911355244d987be39
                                                                                                                                                                              • Opcode Fuzzy Hash: a8d24db13a7b9ab0891d404f526ae7d7ca1f0d1bccdf024eea430a3b8e99d100
                                                                                                                                                                              • Instruction Fuzzy Hash: E211E372244209BADF249F64CC06FEB7BADEF88B54F11451CFB41A6090D675E811CB60
                                                                                                                                                                              Function 0077B4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0077B544: _memset.LIBCMT ref: 0077B551
                                                                                                                                                                                • Part of subcall function 00760B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0077B520,?,?,?,0074100A), ref: 00760B79
                                                                                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,0074100A), ref: 0077B524
                                                                                                                                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0074100A), ref: 0077B533
                                                                                                                                                                              Strings
                                                                                                                                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0077B52E
                                                                                                                                                                              • =~, xrefs: 0077B514
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=~
                                                                                                                                                                              • API String ID: 3158253471-1125109550
                                                                                                                                                                              • Opcode ID: c223d67c237b31211d3758f6e9d66f231eb171a825c5f7c8d4b9fcaf4568cfbd
                                                                                                                                                                              • Instruction ID: 99d9fbd8e8d4761790ab894f052ccce5275ea3dcbfc4fa2a1d45aceb240dccdc
                                                                                                                                                                              • Opcode Fuzzy Hash: c223d67c237b31211d3758f6e9d66f231eb171a825c5f7c8d4b9fcaf4568cfbd
                                                                                                                                                                              • Instruction Fuzzy Hash: 4FE06DB02013518BD7209F3AE8087027BE0BF04344F10C92EE48AC3350DBBCE504CB91
                                                                                                                                                                              Function 007BC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0078027A,?), ref: 007BC6E7
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007BC6F9
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                                                                              • API String ID: 2574300362-1816364905
                                                                                                                                                                              • Opcode ID: fd48f4edcd1e2bdf86cafd83ad1bb27f3eb2c740a99302674072e8cfb5846641
                                                                                                                                                                              • Instruction ID: 37a295624954c470b6650e381e3011a7345ff33dedc57973f767c7dece3767fd
                                                                                                                                                                              • Opcode Fuzzy Hash: fd48f4edcd1e2bdf86cafd83ad1bb27f3eb2c740a99302674072e8cfb5846641
                                                                                                                                                                              • Instruction Fuzzy Hash: E9E08C781003038BEB224B25DC48B9A76E8AB04345F80D42AE885C2310DB7CD8408B90
                                                                                                                                                                              Function 00754B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00754B44,?,007549D4,?,?,007527AF,?,00000001), ref: 00754B85
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00754B97
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                              • API String ID: 2574300362-3689287502
                                                                                                                                                                              • Opcode ID: 4380131637f80fbb7b6fad9a0d940a5da3ab280b612846bf778b0f067de3b277
                                                                                                                                                                              • Instruction ID: ed54ce040dfa30984541446387085b3bd61a03c8437c3a3c4c66511884ebadf2
                                                                                                                                                                              • Opcode Fuzzy Hash: 4380131637f80fbb7b6fad9a0d940a5da3ab280b612846bf778b0f067de3b277
                                                                                                                                                                              • Instruction Fuzzy Hash: 2ED012B15107168FD7215F31EC5874A77E4AF04355F11D82AD895D2650DBB8E4C1C654
                                                                                                                                                                              Function 00754BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00754AF7,?), ref: 00754BB8
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00754BCA
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                              • API String ID: 2574300362-1355242751
                                                                                                                                                                              • Opcode ID: a1a2556e9a7dce360ec84fb4bab5638b40aa777033ffa8bc64ee80ac484af714
                                                                                                                                                                              • Instruction ID: 6926ee2d900a786e8745ee90cd333ed1900721de097978c4dba7395380c1d554
                                                                                                                                                                              • Opcode Fuzzy Hash: a1a2556e9a7dce360ec84fb4bab5638b40aa777033ffa8bc64ee80ac484af714
                                                                                                                                                                              • Instruction Fuzzy Hash: D3D017B05107178FDB209F31EC08B8A76E9AF04356F11ED6AD896D2654EBB8D8D0CA90
                                                                                                                                                                              Function 007C1447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,007C1696), ref: 007C1455
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007C1467
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                              • API String ID: 2574300362-4033151799
                                                                                                                                                                              • Opcode ID: 40a143ebea3ba100867bcd772bdc2abfbaf013a3c600c8bd8bdfcefddf0b3214
                                                                                                                                                                              • Instruction ID: bace16b6fee139655c52dea08ac205a7912138d0ee394d318d3ae0c601543dee
                                                                                                                                                                              • Opcode Fuzzy Hash: 40a143ebea3ba100867bcd772bdc2abfbaf013a3c600c8bd8bdfcefddf0b3214
                                                                                                                                                                              • Instruction Fuzzy Hash: 22D0C7B040131B8FE3208F30C908B0A73E8AF02382F00C83E94E2D2260EB78D8C0CB80
                                                                                                                                                                              Function 007555F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00755E3D), ref: 007555FE
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00755610
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                                              • API String ID: 2574300362-192647395
                                                                                                                                                                              • Opcode ID: d23cfffb2fdd654bf718e34561322fe17b91c85690abd117773518c93e91e4f4
                                                                                                                                                                              • Instruction ID: 79d759857a3196939b423a3eee23322ec45667b958a45f7c9909396c729a13d8
                                                                                                                                                                              • Opcode Fuzzy Hash: d23cfffb2fdd654bf718e34561322fe17b91c85690abd117773518c93e91e4f4
                                                                                                                                                                              • Instruction Fuzzy Hash: 47D012745117128FD7205F31D81875A76F4EF04756F11E82BD895D2251D7B8D480CAD4
                                                                                                                                                                              Function 007B97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,007B93DE,?,007D0980), ref: 007B97D8
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007B97EA
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                                                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                                                              • API String ID: 2574300362-199464113
                                                                                                                                                                              • Opcode ID: 2e5c393d414284d5630894b9a174852c4796fb505db2cab1192fca5794366fbc
                                                                                                                                                                              • Instruction ID: 865313fe9dabe54188b9de145956c7b6ea81cfb84290b719261cc971f8895a42
                                                                                                                                                                              • Opcode Fuzzy Hash: 2e5c393d414284d5630894b9a174852c4796fb505db2cab1192fca5794366fbc
                                                                                                                                                                              • Instruction Fuzzy Hash: 2BD012705107178FD7205F31ED8879A76E4AF04391F11D82AD595D2250EF78D480C651
                                                                                                                                                                              Function 007BE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CharLowerBuffW.USER32(?,?), ref: 007BE7A7
                                                                                                                                                                              • CharLowerBuffW.USER32(?,?), ref: 007BE7EA
                                                                                                                                                                                • Part of subcall function 007BDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007BDEAE
                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007BE9EA
                                                                                                                                                                              • _memmove.LIBCMT ref: 007BE9FD
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3659485706-0
                                                                                                                                                                              • Opcode ID: e7dccee09ab3a83fbaaf9c8113beec7ee7044bcecca3fd03bd000c3638439252
                                                                                                                                                                              • Instruction ID: 90a7ca9c7911d07878aa3466de0ce49e9472e81c964b1f8f10594405de382758
                                                                                                                                                                              • Opcode Fuzzy Hash: e7dccee09ab3a83fbaaf9c8113beec7ee7044bcecca3fd03bd000c3638439252
                                                                                                                                                                              • Instruction Fuzzy Hash: 96C15871A08301DFC714DF28C484AAABBE4FF89714F14896EF8999B351D739E945CB82
                                                                                                                                                                              Function 007B877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CoInitialize.OLE32(00000000), ref: 007B87AD
                                                                                                                                                                              • CoUninitialize.OLE32 ref: 007B87B8
                                                                                                                                                                                • Part of subcall function 007CDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,007B8A0E,?,00000000), ref: 007CDF71
                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 007B87C3
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 007B8A94
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 780911581-0
                                                                                                                                                                              • Opcode ID: 31d6bb58b3160de1a72f73c26d021858ca5eaf43c90549844031525ac8ac95f2
                                                                                                                                                                              • Instruction ID: 57526055f914f18ce989d4f9b43f7d5c297957451010712d399565c95357e48a
                                                                                                                                                                              • Opcode Fuzzy Hash: 31d6bb58b3160de1a72f73c26d021858ca5eaf43c90549844031525ac8ac95f2
                                                                                                                                                                              • Instruction Fuzzy Hash: 0AA15975604701DFDB50DF64C485B6AB7E8BF88310F148949FA959B3A1CB38ED00DB92
                                                                                                                                                                              Function 0079814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007D3C4C,?), ref: 00798308
                                                                                                                                                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007D3C4C,?), ref: 00798320
                                                                                                                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,007D0988,000000FF,?,00000000,00000800,00000000,?,007D3C4C,?), ref: 00798345
                                                                                                                                                                              • _memcmp.LIBCMT ref: 00798366
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 314563124-0
                                                                                                                                                                              • Opcode ID: e70ff2966df95c47be990287ad627e7cd22a9505c27e7e5ceb5778f0d0e33884
                                                                                                                                                                              • Instruction ID: 793bb823aa1f4941b7aa63d4ddb97e1be06620d30497c0cab3a4d07e2b545ce9
                                                                                                                                                                              • Opcode Fuzzy Hash: e70ff2966df95c47be990287ad627e7cd22a9505c27e7e5ceb5778f0d0e33884
                                                                                                                                                                              • Instruction Fuzzy Hash: DC812A71A00109EFCF04DF94C888EEEB7B9FF89315F204599E506AB250DB75AE05CB61
                                                                                                                                                                              Function 0079749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Variant$AllocClearCopyInitString
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2808897238-0
                                                                                                                                                                              • Opcode ID: 45dbc963302b6dab3fc4c834011051666fec85f0d515d2717b32d6e44da7611a
                                                                                                                                                                              • Instruction ID: f81f1e444804a6e1f2b18734a43d71cb957caf0c0c417518098a6e9517561cb4
                                                                                                                                                                              • Opcode Fuzzy Hash: 45dbc963302b6dab3fc4c834011051666fec85f0d515d2717b32d6e44da7611a
                                                                                                                                                                              • Instruction Fuzzy Hash: 9651BA30628701DBDF289F79E899B2DB3E5EF45310F24981FE556CB2A2EB389840C715
                                                                                                                                                                              Function 007BF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 007BF526
                                                                                                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 007BF534
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 007BF5F4
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 007BF603
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2576544623-0
                                                                                                                                                                              • Opcode ID: 4b90c8ded6eac5657ef3c929eba24ca43006a6d3ecf16a74a371f3506fbc4798
                                                                                                                                                                              • Instruction ID: 45f6fdc95acfdbe6c88d674e88fd13db41bf6d4b6fa7035453469f5289d853a9
                                                                                                                                                                              • Opcode Fuzzy Hash: 4b90c8ded6eac5657ef3c929eba24ca43006a6d3ecf16a74a371f3506fbc4798
                                                                                                                                                                              • Instruction Fuzzy Hash: 95516E715043159FD320EF24DC49FABB7E8EF94700F40492DF99597251EB74A908CB92
                                                                                                                                                                              Function 0076492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2782032738-0
                                                                                                                                                                              • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                                                                                                              • Instruction ID: 2b4eaa290815f84e5770ae96a4d21166c1c27179362ec6b5e2f98a2effb369cf
                                                                                                                                                                              • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                                                                                                              • Instruction Fuzzy Hash: 7441D575740706ABDF28DEA9C8949AF7BA5AF40360B24C23DEC57C7640EB78AD408B44
                                                                                                                                                                              Function 0079A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0079A68A
                                                                                                                                                                              • __itow.LIBCMT ref: 0079A6BB
                                                                                                                                                                                • Part of subcall function 0079A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0079A976
                                                                                                                                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0079A724
                                                                                                                                                                              • __itow.LIBCMT ref: 0079A77B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend$__itow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3379773720-0
                                                                                                                                                                              • Opcode ID: 56f8332b44d7c7743b93f51940d668377c6732cc7eec700bdf8b42061740e157
                                                                                                                                                                              • Instruction ID: 70a05d18726495c0b9fffe72cb21bb55d1d0cafce5d7bdc2a18f9b5d7bdeb300
                                                                                                                                                                              • Opcode Fuzzy Hash: 56f8332b44d7c7743b93f51940d668377c6732cc7eec700bdf8b42061740e157
                                                                                                                                                                              • Instruction Fuzzy Hash: 39418074A01209BBDF11EF54D84ABEE7BB9EF44752F440029F905A3281DB789948CBE2
                                                                                                                                                                              Function 007B7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 007B70BC
                                                                                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 007B70CC
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007B7130
                                                                                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 007B713C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2214342067-0
                                                                                                                                                                              • Opcode ID: 8af7c46a9819d37d85aff0529d330cf7248f1902c395af21c10aa50608516129
                                                                                                                                                                              • Instruction ID: 72d0176c48d973a88c58442ef4597c02bf6e61ad1c271f793b1bada7286f418b
                                                                                                                                                                              • Opcode Fuzzy Hash: 8af7c46a9819d37d85aff0529d330cf7248f1902c395af21c10aa50608516129
                                                                                                                                                                              • Instruction Fuzzy Hash: AA41B475740204AFEB24AF28DC8BF6A77E4EB44B14F048458FA199F3D2DB789C009B91
                                                                                                                                                                              Function 007B6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007D0980), ref: 007B6B92
                                                                                                                                                                              • _strlen.LIBCMT ref: 007B6BC4
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _strlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4218353326-0
                                                                                                                                                                              • Opcode ID: aaabc33b3d825f49afc57bb81afa627f9ae9b8e23ae6502ed49127bb457f65b7
                                                                                                                                                                              • Instruction ID: 7e004aa881750ee026f7a5544607dfacdcd66353d83e3881629cacc6a8dd1096
                                                                                                                                                                              • Opcode Fuzzy Hash: aaabc33b3d825f49afc57bb81afa627f9ae9b8e23ae6502ed49127bb457f65b7
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E41A471600108EBCB14EB64DC99FEEB7B9EF54310F148155F91A9B292DB3CAD45CBA0
                                                                                                                                                                              Function 007C8E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007C8F03
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InvalidateRect
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 634782764-0
                                                                                                                                                                              • Opcode ID: d6a225fb028c67842adbef1b89e2f60b25bdd070bb453a1b96105ca19f6767e5
                                                                                                                                                                              • Instruction ID: b1b43974785694ecb599ab2272fc8954a22819ffec49b9c99b87ed3b2a968ec3
                                                                                                                                                                              • Opcode Fuzzy Hash: d6a225fb028c67842adbef1b89e2f60b25bdd070bb453a1b96105ca19f6767e5
                                                                                                                                                                              • Instruction Fuzzy Hash: 0B31B034605118EEEFA09A18CC49FAD37A6EB06320F14451EFA11E61E1CF79EA50DB93
                                                                                                                                                                              Function 007CB1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ClientToScreen.USER32(?,?), ref: 007CB1D2
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 007CB248
                                                                                                                                                                              • PtInRect.USER32(?,?,007CC6BC), ref: 007CB258
                                                                                                                                                                              • MessageBeep.USER32(00000000), ref: 007CB2C9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1352109105-0
                                                                                                                                                                              • Opcode ID: 1c98d2de92a7154008a09b83120b13d7583d3a0293d7a92f16f1f8c3bb07b53d
                                                                                                                                                                              • Instruction ID: 80484a0021da088b6653a4766d6c258e7fedd0114aa48a7c853bd79fc25e79a1
                                                                                                                                                                              • Opcode Fuzzy Hash: 1c98d2de92a7154008a09b83120b13d7583d3a0293d7a92f16f1f8c3bb07b53d
                                                                                                                                                                              • Instruction Fuzzy Hash: 52414930A04159DFDB11CFA8C886FAD7BF5FB49311F1881ADF8189B261D734A941CB90
                                                                                                                                                                              Function 007A12D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007A1326
                                                                                                                                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 007A1342
                                                                                                                                                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007A13A8
                                                                                                                                                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007A13FA
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 432972143-0
                                                                                                                                                                              • Opcode ID: 11bd18b28f9cb17b52f7950251f4174d2327506bff46c9a4817e9ab427bbbc1a
                                                                                                                                                                              • Instruction ID: be434639f5f003eab88c4cb7b5f8aaba6a2aef58af9d60ceb5360e6d871fe95b
                                                                                                                                                                              • Opcode Fuzzy Hash: 11bd18b28f9cb17b52f7950251f4174d2327506bff46c9a4817e9ab427bbbc1a
                                                                                                                                                                              • Instruction Fuzzy Hash: 35316830944208AEFF30CE258C09BFEBBB9ABC7320F84831AF491526D0C37C89519B95
                                                                                                                                                                              Function 007A1410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 007A1465
                                                                                                                                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 007A1481
                                                                                                                                                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 007A14E0
                                                                                                                                                                              • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 007A1532
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 432972143-0
                                                                                                                                                                              • Opcode ID: 737b39e471614ba0c31e6edcef4b1a2d4be44fac765dcb96072b27d1dc59127d
                                                                                                                                                                              • Instruction ID: 67dcc9e8b228e3ee252475ebe07ae7e0f8760571251f3ad079f4a6d935c88d5e
                                                                                                                                                                              • Opcode Fuzzy Hash: 737b39e471614ba0c31e6edcef4b1a2d4be44fac765dcb96072b27d1dc59127d
                                                                                                                                                                              • Instruction Fuzzy Hash: 1C313C30D402589EFF34CA699C04BFABB75ABCB310F88831BE481521D1C37C89559BA5
                                                                                                                                                                              Function 007763F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0077642B
                                                                                                                                                                              • __isleadbyte_l.LIBCMT ref: 00776459
                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00776487
                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007764BD
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3058430110-0
                                                                                                                                                                              • Opcode ID: 13d151db6ffec070ab8775d54194517d83d2b19ce4e1217f03bcb8b78c210c86
                                                                                                                                                                              • Instruction ID: 8c5bcf84a6b2595d7bf27f648dd8409f8101b00a17151f8cee6b36f614cafb67
                                                                                                                                                                              • Opcode Fuzzy Hash: 13d151db6ffec070ab8775d54194517d83d2b19ce4e1217f03bcb8b78c210c86
                                                                                                                                                                              • Instruction Fuzzy Hash: 8131F230600696AFDF258F64CC44BBA7BA5FF40390F158529E82887195EB39EA50DB90
                                                                                                                                                                              Function 007C552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 007C553F
                                                                                                                                                                                • Part of subcall function 007A3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007A3B4E
                                                                                                                                                                                • Part of subcall function 007A3B34: GetCurrentThreadId.KERNEL32 ref: 007A3B55
                                                                                                                                                                                • Part of subcall function 007A3B34: AttachThreadInput.USER32(00000000,?,007A55C0), ref: 007A3B5C
                                                                                                                                                                              • GetCaretPos.USER32(?), ref: 007C5550
                                                                                                                                                                              • ClientToScreen.USER32(00000000,?), ref: 007C558B
                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 007C5591
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2759813231-0
                                                                                                                                                                              • Opcode ID: db1d068e6fc8924908ae13a40ee2f116986a567e4ee1090a971538f099ad77b4
                                                                                                                                                                              • Instruction ID: 19a5c431925fc8390cc27f14f8c7cd5a15bb9082748445617e4f7bd27b0f41fb
                                                                                                                                                                              • Opcode Fuzzy Hash: db1d068e6fc8924908ae13a40ee2f116986a567e4ee1090a971538f099ad77b4
                                                                                                                                                                              • Instruction Fuzzy Hash: DE312F71E00108AFDB10EFA5D885EEFB7F9EF94704F10406AE515E7241EB79AE408BA0
                                                                                                                                                                              Function 007CCB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 007CCB7A
                                                                                                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0077BCEC,?,?,?,?,?), ref: 007CCB8F
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 007CCBDC
                                                                                                                                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0077BCEC,?,?,?), ref: 007CCC16
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2864067406-0
                                                                                                                                                                              • Opcode ID: bf60b1e7239c9895020fe25e2a805c93ccba6d6ec40a928ecd36efae46c72ba6
                                                                                                                                                                              • Instruction ID: 97686327fac24adb21afab2ba26b0f1e4a4cfab908c72ab55209e18bfbb74437
                                                                                                                                                                              • Opcode Fuzzy Hash: bf60b1e7239c9895020fe25e2a805c93ccba6d6ec40a928ecd36efae46c72ba6
                                                                                                                                                                              • Instruction Fuzzy Hash: 29319175600058AFCB168F94CC59FBA7BB9FB49310F0480ADF90997261C739AD61EFA0
                                                                                                                                                                              Function 00760BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __setmode.LIBCMT ref: 00760BE2
                                                                                                                                                                                • Part of subcall function 0075402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007A7E51,?,?,00000000), ref: 00754041
                                                                                                                                                                                • Part of subcall function 0075402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007A7E51,?,?,00000000,?,?), ref: 00754065
                                                                                                                                                                              • _fprintf.LIBCMT ref: 00760C19
                                                                                                                                                                              • OutputDebugStringW.KERNEL32(?), ref: 0079694C
                                                                                                                                                                                • Part of subcall function 00764CCA: _flsall.LIBCMT ref: 00764CE3
                                                                                                                                                                              • __setmode.LIBCMT ref: 00760C4E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 521402451-0
                                                                                                                                                                              • Opcode ID: 53a8cc3107c59e7dd43ab31ed33dda64be544979e638637b8e3a260ce0904bb0
                                                                                                                                                                              • Instruction ID: df53762beea40adaf03550b602d395d493ef145374a713500e1aa67a3d10a210
                                                                                                                                                                              • Opcode Fuzzy Hash: 53a8cc3107c59e7dd43ab31ed33dda64be544979e638637b8e3a260ce0904bb0
                                                                                                                                                                              • Instruction Fuzzy Hash: BF112771905204FACB08B7B4EC4AAFE7769DF41321F10025AFA06562C2DF6E5C8697B1
                                                                                                                                                                              Function 00799274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00798D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00798D3F
                                                                                                                                                                                • Part of subcall function 00798D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00798D49
                                                                                                                                                                                • Part of subcall function 00798D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00798D58
                                                                                                                                                                                • Part of subcall function 00798D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00798D5F
                                                                                                                                                                                • Part of subcall function 00798D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00798D75
                                                                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007992C1
                                                                                                                                                                              • _memcmp.LIBCMT ref: 007992E4
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0079931A
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 00799321
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1592001646-0
                                                                                                                                                                              • Opcode ID: 2a6926edbc6f31321e009f1c7e9bca7564ce4a30c37c269ab5ad996685f4a511
                                                                                                                                                                              • Instruction ID: 8342a2ec9d4f1afa5b19a7ac1279bd6b01b7c63bca85218ae07347a1c0f3c47f
                                                                                                                                                                              • Opcode Fuzzy Hash: 2a6926edbc6f31321e009f1c7e9bca7564ce4a30c37c269ab5ad996685f4a511
                                                                                                                                                                              • Instruction Fuzzy Hash: 4D218131E41108EFDF20DF98D949BEEB7B8FF44301F044059E545A7251D779AA04CBA0
                                                                                                                                                                              Function 007C634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 007C63BD
                                                                                                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007C63D7
                                                                                                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007C63E5
                                                                                                                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007C63F3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$Long$AttributesLayered
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2169480361-0
                                                                                                                                                                              • Opcode ID: 262f6a3e3bf91360c564b6bc1853b03051c8ec170194f9e3b03d6562e9478346
                                                                                                                                                                              • Instruction ID: 187b0bd1690ca1c60c2d5c7bdd12a04fb4caf4b0540b5a20e2c7943ca3955f02
                                                                                                                                                                              • Opcode Fuzzy Hash: 262f6a3e3bf91360c564b6bc1853b03051c8ec170194f9e3b03d6562e9478346
                                                                                                                                                                              • Instruction Fuzzy Hash: C0119335305514AFDB04AB24DC89FBA77A9EF85320F14821DF916C72E2CB78AD01CB95
                                                                                                                                                                              Function 0079E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0079F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0079E46F,?,?,?,0079F262,00000000,000000EF,00000119,?,?), ref: 0079F867
                                                                                                                                                                                • Part of subcall function 0079F858: lstrcpyW.KERNEL32(00000000,?,?,0079E46F,?,?,?,0079F262,00000000,000000EF,00000119,?,?,00000000), ref: 0079F88D
                                                                                                                                                                                • Part of subcall function 0079F858: lstrcmpiW.KERNEL32(00000000,?,0079E46F,?,?,?,0079F262,00000000,000000EF,00000119,?,?), ref: 0079F8BE
                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0079F262,00000000,000000EF,00000119,?,?,00000000), ref: 0079E488
                                                                                                                                                                              • lstrcpyW.KERNEL32(00000000,?,?,0079F262,00000000,000000EF,00000119,?,?,00000000), ref: 0079E4AE
                                                                                                                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0079F262,00000000,000000EF,00000119,?,?,00000000), ref: 0079E4E2
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                                              • String ID: cdecl
                                                                                                                                                                              • API String ID: 4031866154-3896280584
                                                                                                                                                                              • Opcode ID: 5f006ce84257582f6edb8279a1d4d3d79ae1a0b91035fa69e495031e8aaee3b8
                                                                                                                                                                              • Instruction ID: 2cb115a730cc930fbab5e33a9b983e31c301b06fbcd2165e5118fc6f0ed1d7b9
                                                                                                                                                                              • Opcode Fuzzy Hash: 5f006ce84257582f6edb8279a1d4d3d79ae1a0b91035fa69e495031e8aaee3b8
                                                                                                                                                                              • Instruction Fuzzy Hash: 6A11B136100345EFCF259F24EC49D7A77B8FF45350B40802AF80ACB2A0EB399951C791
                                                                                                                                                                              Function 00775312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _free.LIBCMT ref: 00775331
                                                                                                                                                                                • Part of subcall function 0076593C: __FF_MSGBANNER.LIBCMT ref: 00765953
                                                                                                                                                                                • Part of subcall function 0076593C: __NMSG_WRITE.LIBCMT ref: 0076595A
                                                                                                                                                                                • Part of subcall function 0076593C: RtlAllocateHeap.NTDLL(01990000,00000000,00000001,?,00000004,?,?,00761003,?), ref: 0076597F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocateHeap_free
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 614378929-0
                                                                                                                                                                              • Opcode ID: 173b32d3d2b3fc8b401aab4d2df416f6ca15b8e4ec9582bc61d43bd1409bafcc
                                                                                                                                                                              • Instruction ID: a3f2406e32bf037d851c262ebcda927989c07bf2d96689111502b29995e4b4b0
                                                                                                                                                                              • Opcode Fuzzy Hash: 173b32d3d2b3fc8b401aab4d2df416f6ca15b8e4ec9582bc61d43bd1409bafcc
                                                                                                                                                                              • Instruction Fuzzy Hash: DF11C432505E15EFCF602F74AC0965A3794AF143E4F10862AFC1E9A1B1DFFC894087A1
                                                                                                                                                                              Function 007A4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007A4385
                                                                                                                                                                              • _memset.LIBCMT ref: 007A43A6
                                                                                                                                                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007A43F8
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 007A4401
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1157408455-0
                                                                                                                                                                              • Opcode ID: 28b38ec9c5e2ef05cb590265c81b2162445858b2d752d27e69590fa3ae4248ca
                                                                                                                                                                              • Instruction ID: 981869f7cae968fc34ffb5688786d5c7689b66136d66ece29dca73496cc4fc42
                                                                                                                                                                              • Opcode Fuzzy Hash: 28b38ec9c5e2ef05cb590265c81b2162445858b2d752d27e69590fa3ae4248ca
                                                                                                                                                                              • Instruction Fuzzy Hash: 0A1101719022287AD73097A5AC4DFEFBB7CEF85720F10469AF904E7180D2744E40C7A4
                                                                                                                                                                              Function 007B6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0075402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007A7E51,?,?,00000000), ref: 00754041
                                                                                                                                                                                • Part of subcall function 0075402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007A7E51,?,?,00000000,?,?), ref: 00754065
                                                                                                                                                                              • gethostbyname.WSOCK32(?,?,?), ref: 007B6A84
                                                                                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 007B6A8F
                                                                                                                                                                              • _memmove.LIBCMT ref: 007B6ABC
                                                                                                                                                                              • inet_ntoa.WSOCK32(?), ref: 007B6AC7
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1504782959-0
                                                                                                                                                                              • Opcode ID: bdbc41227753c9f2272afa9c9f48a58350261900f49a0a286ae868d39db24042
                                                                                                                                                                              • Instruction ID: 1417c88c33beb0a7f96ddc642d672a4fa2a8ed55a655c4d4fb3d2f672f725a9f
                                                                                                                                                                              • Opcode Fuzzy Hash: bdbc41227753c9f2272afa9c9f48a58350261900f49a0a286ae868d39db24042
                                                                                                                                                                              • Instruction Fuzzy Hash: 01116671500108DFCB04FBA4CD4AEEEB7B8EF04311B548055F906A72A2DF799E14DBA1
                                                                                                                                                                              Function 0074166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007429E2: GetWindowLongW.USER32(?,000000EB), ref: 007429F3
                                                                                                                                                                              • DefDlgProcW.USER32(?,00000020,?), ref: 007416B4
                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 0077B93C
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 0077B946
                                                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 0077B951
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4127811313-0
                                                                                                                                                                              • Opcode ID: 85e9c5daccf934f9b187222ae9c28ed2d4344920278eb71b6429601533b1b4cf
                                                                                                                                                                              • Instruction ID: a06421a01efdd402567582f37764f706bd4c176b70760cc9cec86fa1cd55d510
                                                                                                                                                                              • Opcode Fuzzy Hash: 85e9c5daccf934f9b187222ae9c28ed2d4344920278eb71b6429601533b1b4cf
                                                                                                                                                                              • Instruction Fuzzy Hash: E0114975901019EBCB00EF54D889EBE77B8FB05300F444456F941E7140CB38FA91CBA6
                                                                                                                                                                              Function 007996F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00799719
                                                                                                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0079972B
                                                                                                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00799741
                                                                                                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0079975C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3850602802-0
                                                                                                                                                                              • Opcode ID: 19631a52ebdbcfd9fc66bf4df62e4aeadfa95441c94d0709d220a05cb2703d90
                                                                                                                                                                              • Instruction ID: 675d89111bbb3b20c8b6ef5490e56968445032c6cd74dc8231860fdbd6053542
                                                                                                                                                                              • Opcode Fuzzy Hash: 19631a52ebdbcfd9fc66bf4df62e4aeadfa95441c94d0709d220a05cb2703d90
                                                                                                                                                                              • Instruction Fuzzy Hash: E6111879901218FFEF11DF99C985E9DBBB8FB48710F204095EA04B7290DA71AE11DB94
                                                                                                                                                                              Function 00742111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0074214F
                                                                                                                                                                              • GetStockObject.GDI32(00000011), ref: 00742163
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0074216D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3970641297-0
                                                                                                                                                                              • Opcode ID: 7f1e333becef2361e5e4d447ed21f6f4acdb11ff1a3c3664721c12d031fee751
                                                                                                                                                                              • Instruction ID: e0c45007d6d0baa6d88901989ecde92bbd397a386ced90f65645196a7cca7a42
                                                                                                                                                                              • Opcode Fuzzy Hash: 7f1e333becef2361e5e4d447ed21f6f4acdb11ff1a3c3664721c12d031fee751
                                                                                                                                                                              • Instruction Fuzzy Hash: DF118B7250214DBFDF025FA09C44EEABB69EF583A4F444112FA0452111C779DC619BA1
                                                                                                                                                                              Function 007A1941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007A04EC,?,007A153F,?,00008000), ref: 007A195E
                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,007A04EC,?,007A153F,?,00008000), ref: 007A1983
                                                                                                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007A04EC,?,007A153F,?,00008000), ref: 007A198D
                                                                                                                                                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,007A04EC,?,007A153F,?,00008000), ref: 007A19C0
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2875609808-0
                                                                                                                                                                              • Opcode ID: 87c987695f8450558a88fb078f759ac9ec400116a119549b2c93a5bd7a6d8d1a
                                                                                                                                                                              • Instruction ID: 104a515c9f973c03e3dbe6339a925f1cf8e909bcceb098b43f676e03843d49c7
                                                                                                                                                                              • Opcode Fuzzy Hash: 87c987695f8450558a88fb078f759ac9ec400116a119549b2c93a5bd7a6d8d1a
                                                                                                                                                                              • Instruction Fuzzy Hash: BF114831C0566CEBDF00DFA4D958BEEBB78BF4A711F408246E980B6240CB39A650CBD5
                                                                                                                                                                              Function 007CE1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007CE1EA
                                                                                                                                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 007CE201
                                                                                                                                                                              • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 007CE216
                                                                                                                                                                              • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 007CE234
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1352324309-0
                                                                                                                                                                              • Opcode ID: 6bcfdd4bc3815ccfdc5a598a8e5b07e84cdf659ae602ccc023fdf17bbb867696
                                                                                                                                                                              • Instruction ID: a456500f830e8e5806540dd59261e74445ea56cbf1e920dc6ae07fd0e55bfb3e
                                                                                                                                                                              • Opcode Fuzzy Hash: 6bcfdd4bc3815ccfdc5a598a8e5b07e84cdf659ae602ccc023fdf17bbb867696
                                                                                                                                                                              • Instruction Fuzzy Hash: 761161B5206B049BE3308F51DD0CF93BBBCFB00B10F10855EAA56D6050D7B8F504ABA1
                                                                                                                                                                              Function 007771E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3016257755-0
                                                                                                                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                                                              • Instruction ID: 3ad41b7916e55ea8759cbe5daac679a73eeed8e4c34f1483237b3159034e73dd
                                                                                                                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                                                              • Instruction Fuzzy Hash: C2017E3204814AFBCF1A5E84CC058ED3F32BB19384B48C515FA2C98532C63AC9B1EB81
                                                                                                                                                                              Function 007CB937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetWindowRect.USER32(?,?), ref: 007CB956
                                                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 007CB96E
                                                                                                                                                                              • ScreenToClient.USER32(?,?), ref: 007CB992
                                                                                                                                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007CB9AD
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 357397906-0
                                                                                                                                                                              • Opcode ID: 25d880d4d351ea25fa1ff7cb25ae82113624d2b90dbdf57182e359568d29f06b
                                                                                                                                                                              • Instruction ID: 446c98e5f9426f130b0c3613ddaee216fc44f0009736a44359267a1f280078ba
                                                                                                                                                                              • Opcode Fuzzy Hash: 25d880d4d351ea25fa1ff7cb25ae82113624d2b90dbdf57182e359568d29f06b
                                                                                                                                                                              • Instruction Fuzzy Hash: B01144B9D00209EFDB41CF98D984AEEBBF9FF48310F109156E914E3610D735AA658F94
                                                                                                                                                                              Function 007CBCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007CBCB6
                                                                                                                                                                              • _memset.LIBCMT ref: 007CBCC5
                                                                                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00808F20,00808F64), ref: 007CBCF4
                                                                                                                                                                              • CloseHandle.KERNEL32 ref: 007CBD06
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memset$CloseCreateHandleProcess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3277943733-0
                                                                                                                                                                              • Opcode ID: f80d82d81e1684ba24285edcb6b7a299559e514c7f6a81fb6c931cd2cd29a573
                                                                                                                                                                              • Instruction ID: a50eb3c8db61b86d7b7ef542a01cb925881a0256051b09fb7baf5fd6f87a343c
                                                                                                                                                                              • Opcode Fuzzy Hash: f80d82d81e1684ba24285edcb6b7a299559e514c7f6a81fb6c931cd2cd29a573
                                                                                                                                                                              • Instruction Fuzzy Hash: 65F05EB2640305FFE29027B1AC0AFBB3B5EFB08750F005425BB49E51A2DF79486087AC
                                                                                                                                                                              Function 007A7195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 007A71A1
                                                                                                                                                                                • Part of subcall function 007A7C7F: _memset.LIBCMT ref: 007A7CB4
                                                                                                                                                                              • _memmove.LIBCMT ref: 007A71C4
                                                                                                                                                                              • _memset.LIBCMT ref: 007A71D1
                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 007A71E1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 48991266-0
                                                                                                                                                                              • Opcode ID: 02b8a87217dd8df7af098d7f82ced8ee8fc1ec553adcfd853b894c8bdfc93190
                                                                                                                                                                              • Instruction ID: 654c6e468a845247d3cb7f1580128531730e2381804d8c929e12f3feeeae2d7a
                                                                                                                                                                              • Opcode Fuzzy Hash: 02b8a87217dd8df7af098d7f82ced8ee8fc1ec553adcfd853b894c8bdfc93190
                                                                                                                                                                              • Instruction Fuzzy Hash: D7F0543A101100ABCF416F55DC89B4ABB29EF45320F08C055FE095E21AC735A911DBB4
                                                                                                                                                                              Function 007CC3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007416CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00741729
                                                                                                                                                                                • Part of subcall function 007416CF: SelectObject.GDI32(?,00000000), ref: 00741738
                                                                                                                                                                                • Part of subcall function 007416CF: BeginPath.GDI32(?), ref: 0074174F
                                                                                                                                                                                • Part of subcall function 007416CF: SelectObject.GDI32(?,00000000), ref: 00741778
                                                                                                                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007CC3E8
                                                                                                                                                                              • LineTo.GDI32(00000000,?,?), ref: 007CC3F5
                                                                                                                                                                              • EndPath.GDI32(00000000), ref: 007CC405
                                                                                                                                                                              • StrokePath.GDI32(00000000), ref: 007CC413
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1539411459-0
                                                                                                                                                                              • Opcode ID: 808468ba39a18659465931146015ac92cbb7df811132479f5d1abf064ca1b816
                                                                                                                                                                              • Instruction ID: d177b776921fbe863aee625d8d3620f4c24484c15c7bcd4277ee807589b2b6e5
                                                                                                                                                                              • Opcode Fuzzy Hash: 808468ba39a18659465931146015ac92cbb7df811132479f5d1abf064ca1b816
                                                                                                                                                                              • Instruction Fuzzy Hash: A6F0BE32006259BADB132F50AC0DFCE3F69AF05310F18C005FA51210E187786650DBED
                                                                                                                                                                              Function 0079AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0079AA6F
                                                                                                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0079AA82
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0079AA89
                                                                                                                                                                              • AttachThreadInput.USER32(00000000), ref: 0079AA90
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2710830443-0
                                                                                                                                                                              • Opcode ID: 5ef90e3976c0d31bf1fcbbaa782f272a0c43639067dd51e67e8ce8844676e938
                                                                                                                                                                              • Instruction ID: e8c5340c9398345fc720ae9466ff7fbe368f6900f1946f57d85d9f8d107ebc2d
                                                                                                                                                                              • Opcode Fuzzy Hash: 5ef90e3976c0d31bf1fcbbaa782f272a0c43639067dd51e67e8ce8844676e938
                                                                                                                                                                              • Instruction Fuzzy Hash: 90E03931542228BBDB215FA2AD0CFEB3F2CEF527A1F40C012F50984050C679C550CBE1
                                                                                                                                                                              Function 007425F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetSysColor.USER32(00000008), ref: 0074260D
                                                                                                                                                                              • SetTextColor.GDI32(?,000000FF), ref: 00742617
                                                                                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 0074262C
                                                                                                                                                                              • GetStockObject.GDI32(00000005), ref: 00742634
                                                                                                                                                                              • GetWindowDC.USER32(?,00000000), ref: 0077C1C4
                                                                                                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0077C1D1
                                                                                                                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0077C1EA
                                                                                                                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0077C203
                                                                                                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0077C223
                                                                                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0077C22E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1946975507-0
                                                                                                                                                                              • Opcode ID: ab6aa8117085cf1c5d1c1a494cc68c9ab0b35a6cf7c41c9477a07216cf440257
                                                                                                                                                                              • Instruction ID: 637cd80d4ae5a4d7f977510e72a3da6adcd085df6955935b2f8925e049fe5f7d
                                                                                                                                                                              • Opcode Fuzzy Hash: ab6aa8117085cf1c5d1c1a494cc68c9ab0b35a6cf7c41c9477a07216cf440257
                                                                                                                                                                              • Instruction Fuzzy Hash: 35E06531505248BBDF225FB4BC09BDC3B21EB05331F04C367FA69480E287764990DB56
                                                                                                                                                                              Function 00799330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 00799339
                                                                                                                                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00798F04), ref: 00799340
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00798F04), ref: 0079934D
                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00798F04), ref: 00799354
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CurrentOpenProcessThreadToken
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3974789173-0
                                                                                                                                                                              • Opcode ID: 09e335351716ec31d2695a2c3e323b6f952563af578544722a2f629308264082
                                                                                                                                                                              • Instruction ID: f2aa4aa8175f7f499957dab54521fc4b99b27112837888da57924e572b49b32b
                                                                                                                                                                              • Opcode Fuzzy Hash: 09e335351716ec31d2695a2c3e323b6f952563af578544722a2f629308264082
                                                                                                                                                                              • Instruction Fuzzy Hash: 07E04F32603211ABEB201FB56E0EB563B7CEF50791F118819A245C9090E63C9444C794
                                                                                                                                                                              Function 00780679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDesktopWindow.USER32 ref: 00780679
                                                                                                                                                                              • GetDC.USER32(00000000), ref: 00780683
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007806A3
                                                                                                                                                                              • ReleaseDC.USER32(?), ref: 007806C4
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2889604237-0
                                                                                                                                                                              • Opcode ID: 0248395c9c4ed30a9dbe3736f1795e0e10de04af912e4e65a22ab61f76750da4
                                                                                                                                                                              • Instruction ID: 062eb585f0e9c90c3d7bd96863a0657c652d655992c63af0c5a3d580947989a5
                                                                                                                                                                              • Opcode Fuzzy Hash: 0248395c9c4ed30a9dbe3736f1795e0e10de04af912e4e65a22ab61f76750da4
                                                                                                                                                                              • Instruction Fuzzy Hash: DFE0EEB1901204EFCB519FB0D808BAD7BB1EB88310F11D00AF95AA7210DB3C85519F99
                                                                                                                                                                              Function 0078068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetDesktopWindow.USER32 ref: 0078068D
                                                                                                                                                                              • GetDC.USER32(00000000), ref: 00780697
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007806A3
                                                                                                                                                                              • ReleaseDC.USER32(?), ref: 007806C4
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2889604237-0
                                                                                                                                                                              • Opcode ID: f5118bd75592556013d6ff2bf7face3ebf6f5d52b923b8175d97f532948a5938
                                                                                                                                                                              • Instruction ID: e67792a472e5a2ead768ff2870ac48ecc247a96e7c662fa83aa9b67a18ebf3f4
                                                                                                                                                                              • Opcode Fuzzy Hash: f5118bd75592556013d6ff2bf7face3ebf6f5d52b923b8175d97f532948a5938
                                                                                                                                                                              • Instruction Fuzzy Hash: CBE0EEB1801204AFCB119FB0D808BAD7BB1EB88310F10C00AF95AA7210CB3C95519F98
                                                                                                                                                                              Function 007AB5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0075436A: _wcscpy.LIBCMT ref: 0075438D
                                                                                                                                                                                • Part of subcall function 00744D37: __itow.LIBCMT ref: 00744D62
                                                                                                                                                                                • Part of subcall function 00744D37: __swprintf.LIBCMT ref: 00744DAC
                                                                                                                                                                              • __wcsnicmp.LIBCMT ref: 007AB670
                                                                                                                                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007AB739
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                                                                              • String ID: LPT
                                                                                                                                                                              • API String ID: 3222508074-1350329615
                                                                                                                                                                              • Opcode ID: 94785b478bb77cb9ab35becac4b2140b399a0ed612505dccb2267fab32c3754d
                                                                                                                                                                              • Instruction ID: fb9d17adc12c732907b925902c9ea70c239781160c3ed94e5728643310043885
                                                                                                                                                                              • Opcode Fuzzy Hash: 94785b478bb77cb9ab35becac4b2140b399a0ed612505dccb2267fab32c3754d
                                                                                                                                                                              • Instruction Fuzzy Hash: BD61A775A00219EFCB14DF94C895EAEB7B4EF89310F14815AF906AB392D778AE44CF50
                                                                                                                                                                              Function 00787190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove
                                                                                                                                                                              • String ID: #Vu
                                                                                                                                                                              • API String ID: 4104443479-163864266
                                                                                                                                                                              • Opcode ID: acc293fdc3e06b4b666fc737dd1d691d3233f932bd1abc08b3e18a8d85250412
                                                                                                                                                                              • Instruction ID: 55e1f676d7d31f755e26df0f5cfa281c6713a5cf9432634d9886d65219ffdd46
                                                                                                                                                                              • Opcode Fuzzy Hash: acc293fdc3e06b4b666fc737dd1d691d3233f932bd1abc08b3e18a8d85250412
                                                                                                                                                                              • Instruction Fuzzy Hash: B0518170D44609DFCF28DF68C884AAEBBB1FF44314F248529E85AD7240E739E955CB91
                                                                                                                                                                              Function 0074E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • Sleep.KERNEL32(00000000), ref: 0074E01E
                                                                                                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 0074E037
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: GlobalMemorySleepStatus
                                                                                                                                                                              • String ID: @
                                                                                                                                                                              • API String ID: 2783356886-2766056989
                                                                                                                                                                              • Opcode ID: 910e45ba54d46291d47d785b671bd52b95036a7fece84c9b6400f3670c671de0
                                                                                                                                                                              • Instruction ID: 0a66d563bfdb92e3bab5cd8ae256d875d57c64c116938ae2645954a340724af4
                                                                                                                                                                              • Opcode Fuzzy Hash: 910e45ba54d46291d47d785b671bd52b95036a7fece84c9b6400f3670c671de0
                                                                                                                                                                              • Instruction Fuzzy Hash: 015149B1508748DBE320AF50E88ABAFBBF8FF84714F51884DF2D8411A1DB749529CB56
                                                                                                                                                                              Function 007C8096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007C8186
                                                                                                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007C819B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                              • String ID: '
                                                                                                                                                                              • API String ID: 3850602802-1997036262
                                                                                                                                                                              • Opcode ID: 45f1a13fa4942f25dceaafecdfac7c3b15a703dce0dfa710da692180cf7c1ad6
                                                                                                                                                                              • Instruction ID: 28f05ac8c2dda05bb407fef7af0fd0ac0bd352f2593dcac3dc849090ee2785db
                                                                                                                                                                              • Opcode Fuzzy Hash: 45f1a13fa4942f25dceaafecdfac7c3b15a703dce0dfa710da692180cf7c1ad6
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E410774A012099FDB54CF68C881FEA7BF5FB09340F14416EE904AB351DB35A956CF91
                                                                                                                                                                              Function 007B2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007B2C6A
                                                                                                                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007B2CA0
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CrackInternet_memset
                                                                                                                                                                              • String ID: |
                                                                                                                                                                              • API String ID: 1413715105-2343686810
                                                                                                                                                                              • Opcode ID: 2e681ee4ecdb127d34476b63840f27332e44316130f64b9f22f2d27a595d7213
                                                                                                                                                                              • Instruction ID: 3aee686c76adb9213c2a859797fbccdd9192217d62adfaf81f57847bfe588447
                                                                                                                                                                              • Opcode Fuzzy Hash: 2e681ee4ecdb127d34476b63840f27332e44316130f64b9f22f2d27a595d7213
                                                                                                                                                                              • Instruction Fuzzy Hash: BD310771D01219EBCF11EFA0CC89AEEBFB9FF08311F100059FC15A6262EA755956DBA0
                                                                                                                                                                              Function 007C7088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • DestroyWindow.USER32(?,?,?,?), ref: 007C713C
                                                                                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007C7178
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$DestroyMove
                                                                                                                                                                              • String ID: static
                                                                                                                                                                              • API String ID: 2139405536-2160076837
                                                                                                                                                                              • Opcode ID: dcc8a32df79f5b64fc546b0904844469a6963b5eca810d097430eb3d344336c6
                                                                                                                                                                              • Instruction ID: afd9d4ac10fe43ea59ca4f5d41e991e6a22d0cdf1dc96e62b91009bbaaf7ae5c
                                                                                                                                                                              • Opcode Fuzzy Hash: dcc8a32df79f5b64fc546b0904844469a6963b5eca810d097430eb3d344336c6
                                                                                                                                                                              • Instruction Fuzzy Hash: 4A318D71100608AADB149F78CC85FFB73A9FF88720F10961DF9A597191DB38AC81DBA0
                                                                                                                                                                              Function 007A3049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007A30B8
                                                                                                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007A30F3
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InfoItemMenu_memset
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 2223754486-4108050209
                                                                                                                                                                              • Opcode ID: f6b7e372b5c6bcfbc71f839a9f9e44015560f4f65fb735e80ae717cfedb3374a
                                                                                                                                                                              • Instruction ID: 6531407898dc69ddbf1586f1399398a92d25a1df0a10e01d0470964d5cd162b9
                                                                                                                                                                              • Opcode Fuzzy Hash: f6b7e372b5c6bcfbc71f839a9f9e44015560f4f65fb735e80ae717cfedb3374a
                                                                                                                                                                              • Instruction Fuzzy Hash: AC31FB7160030DDBEB248F54C885FAEBBB9FF86350F144119FD85A6191E7789B44CB50
                                                                                                                                                                              Function 007B40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __snwprintf.LIBCMT ref: 007B4132
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __snwprintf_memmove
                                                                                                                                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                                                                              • API String ID: 3506404897-2584243854
                                                                                                                                                                              • Opcode ID: d2a1371e3fc58a2fbbcb471fc8f45f3accfcf328aee8e309bee3eac7d6086e2e
                                                                                                                                                                              • Instruction ID: e9faa1d56b0aa2452dea406018f2272b66f1910ab8f622276e1251d1c5e0e4e1
                                                                                                                                                                              • Opcode Fuzzy Hash: d2a1371e3fc58a2fbbcb471fc8f45f3accfcf328aee8e309bee3eac7d6086e2e
                                                                                                                                                                              • Instruction Fuzzy Hash: 00217171A0021DEBCF10EF64C896FEE77B9AF54342F404455F905A7242EB78B945CBA1
                                                                                                                                                                              Function 007C6CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007C6D86
                                                                                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C6D91
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MessageSend
                                                                                                                                                                              • String ID: Combobox
                                                                                                                                                                              • API String ID: 3850602802-2096851135
                                                                                                                                                                              • Opcode ID: c363e3a8cf39168ad426e285c3c3320b72ead15b589c29f21099058868e4df78
                                                                                                                                                                              • Instruction ID: c3b65630e80afdc65cfb3e8a4c6f885c7e5a333a346ac192f8aaf72a93fc94c2
                                                                                                                                                                              • Opcode Fuzzy Hash: c363e3a8cf39168ad426e285c3c3320b72ead15b589c29f21099058868e4df78
                                                                                                                                                                              • Instruction Fuzzy Hash: A311B271310208AFEF219E54DCC1FBB3B6AEB883A4F10412DF9159B291D639DC5187A0
                                                                                                                                                                              Function 007C722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00742111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0074214F
                                                                                                                                                                                • Part of subcall function 00742111: GetStockObject.GDI32(00000011), ref: 00742163
                                                                                                                                                                                • Part of subcall function 00742111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0074216D
                                                                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 007C7296
                                                                                                                                                                              • GetSysColor.USER32(00000012), ref: 007C72B0
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                                              • String ID: static
                                                                                                                                                                              • API String ID: 1983116058-2160076837
                                                                                                                                                                              • Opcode ID: a452cec238689354477fe320289a9ac5c888059f116b52e183ab952f8fc26aef
                                                                                                                                                                              • Instruction ID: 1fef231b78bb0bbbdd2d08a56dd5c4c519ea898e86957d9a82c58952d078d34f
                                                                                                                                                                              • Opcode Fuzzy Hash: a452cec238689354477fe320289a9ac5c888059f116b52e183ab952f8fc26aef
                                                                                                                                                                              • Instruction Fuzzy Hash: DA21F47261420AAFDB04DFA8DC46EAA7BB8FB08314F005519BD55D3251DA39A861DBA0
                                                                                                                                                                              Function 007C6F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 007C6FC7
                                                                                                                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007C6FD6
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LengthMessageSendTextWindow
                                                                                                                                                                              • String ID: edit
                                                                                                                                                                              • API String ID: 2978978980-2167791130
                                                                                                                                                                              • Opcode ID: e5bb4c214cf5251a63cd334727ac187b2f681d5eda4a0175fb34e8da52ee5dd1
                                                                                                                                                                              • Instruction ID: 9e9a35653ccba8716e6e164fb577b6c249d9fcf9ae4806da4f8070d405ecd2a6
                                                                                                                                                                              • Opcode Fuzzy Hash: e5bb4c214cf5251a63cd334727ac187b2f681d5eda4a0175fb34e8da52ee5dd1
                                                                                                                                                                              • Instruction Fuzzy Hash: 3E114C71500208AFEB109E64EC85FFB3BAAEB45368F50471CFA65971E0C779DC519BA0
                                                                                                                                                                              Function 007A3156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 007A31C9
                                                                                                                                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007A31E8
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InfoItemMenu_memset
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 2223754486-4108050209
                                                                                                                                                                              • Opcode ID: fa6a6aa202edad9c6ac407c8a65fcfc7a59182d5e1385c637445458f6cc431f9
                                                                                                                                                                              • Instruction ID: ed3950a30b18ce29904cc1d6048c091a286eb9f5f38f2ea5f52620bb32c66d31
                                                                                                                                                                              • Opcode Fuzzy Hash: fa6a6aa202edad9c6ac407c8a65fcfc7a59182d5e1385c637445458f6cc431f9
                                                                                                                                                                              • Instruction Fuzzy Hash: CE11E232E0151CABDB20DE98DC45B9D77B8AB87310F184222F916A72A0D778AF05CB91
                                                                                                                                                                              Function 007434E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 0074351D
                                                                                                                                                                              • DestroyWindow.USER32(?,?,00754E61), ref: 00743576
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DeleteDestroyObjectWindow
                                                                                                                                                                              • String ID: h}
                                                                                                                                                                              • API String ID: 2587070983-1190393154
                                                                                                                                                                              • Opcode ID: 833e1f7f0af5c3292072b18afcc0bb594e246e1a7fe3d24029ead507d035f7ed
                                                                                                                                                                              • Instruction ID: 6a80ed31476377a60c7363bef390b9bf2a3b6db1c3ae4c4299cbea50e1fa4946
                                                                                                                                                                              • Opcode Fuzzy Hash: 833e1f7f0af5c3292072b18afcc0bb594e246e1a7fe3d24029ead507d035f7ed
                                                                                                                                                                              • Instruction Fuzzy Hash: E6214230A09200CFCB58EF28DC5872573F0BB44311B058169E40A8B3A1DB78EE50CF99
                                                                                                                                                                              Function 007B28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007B28F8
                                                                                                                                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007B2921
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Internet$OpenOption
                                                                                                                                                                              • String ID: <local>
                                                                                                                                                                              • API String ID: 942729171-4266983199
                                                                                                                                                                              • Opcode ID: b98dc53a558b6b87a829742cf0b0945328317e6d7e42167e07d1bca8abbf5da7
                                                                                                                                                                              • Instruction ID: 59c6a29b4a06b96fb4f2e43b91575ee106a2a92e48358ae8c963568dec96a199
                                                                                                                                                                              • Opcode Fuzzy Hash: b98dc53a558b6b87a829742cf0b0945328317e6d7e42167e07d1bca8abbf5da7
                                                                                                                                                                              • Instruction Fuzzy Hash: 6611E070502225BAEB258F518C88FFBFBACFF15760F10852AF50956101E3786892DAE0
                                                                                                                                                                              Function 007AD116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _wcscmp
                                                                                                                                                                              • String ID: 0.0.0.0$L,}
                                                                                                                                                                              • API String ID: 856254489-2768579157
                                                                                                                                                                              • Opcode ID: 379a7cd7dc855774d281dd739c81e5f5d87cff60cafff8071cf5f30827872fa0
                                                                                                                                                                              • Instruction ID: 1e7f04157a4c615db3c0cf3d4565bb200b7bef52ceb6819cf0977d9b52c884b8
                                                                                                                                                                              • Opcode Fuzzy Hash: 379a7cd7dc855774d281dd739c81e5f5d87cff60cafff8071cf5f30827872fa0
                                                                                                                                                                              • Instruction Fuzzy Hash: 1811C475700208DFCB14EE14C885E59B3B5AF86714F158159FA0A5F3A1CA38FD46DB60
                                                                                                                                                                              Function 007B8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 007B86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007B849D,?,00000000,?,?), ref: 007B86F7
                                                                                                                                                                              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007B84A0
                                                                                                                                                                              • htons.WSOCK32(00000000,?,00000000), ref: 007B84DD
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                                                                                                              • String ID: 255.255.255.255
                                                                                                                                                                              • API String ID: 2496851823-2422070025
                                                                                                                                                                              • Opcode ID: 37cd7c98c54afd3cc7d651cfdd4cf580e624738b759dd98eb47fec894dc7c8d4
                                                                                                                                                                              • Instruction ID: 9be93e5df6c0ef18b9c002d343e0b20a75dc5a922bc0b85626f20d1f22c7ece9
                                                                                                                                                                              • Opcode Fuzzy Hash: 37cd7c98c54afd3cc7d651cfdd4cf580e624738b759dd98eb47fec894dc7c8d4
                                                                                                                                                                              • Instruction Fuzzy Hash: C311A53560020AABDF14EF64DC46FEEB368FF04321F108517F915572D1DB75A814CA96
                                                                                                                                                                              Function 007999BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 0079B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0079B7BD
                                                                                                                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00799A2B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClassMessageNameSend_memmove
                                                                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                                                                              • API String ID: 372448540-1403004172
                                                                                                                                                                              • Opcode ID: 4a79d3acec6eda73d57dd211bbd5dabe960466a79e728996385c0a37e9e51e74
                                                                                                                                                                              • Instruction ID: c50294b853e2f267b2e01cd51869f901a7f9a14aedd5c7f9fdb0fb8dc4bbe1a6
                                                                                                                                                                              • Opcode Fuzzy Hash: 4a79d3acec6eda73d57dd211bbd5dabe960466a79e728996385c0a37e9e51e74
                                                                                                                                                                              • Instruction Fuzzy Hash: 9001D2B1A42118EB8F14EBB8DC569FE7369EF52321B404609F961572C1EE395808C660
                                                                                                                                                                              Function 007A934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __fread_nolock_memmove
                                                                                                                                                                              • String ID: EA06
                                                                                                                                                                              • API String ID: 1988441806-3962188686
                                                                                                                                                                              • Opcode ID: 15d88fbeef248fd9478c2b0753edb0c23552cf306dc0d8b3923b8fbe7a0cc771
                                                                                                                                                                              • Instruction ID: 9c8612646b6a2523f874f40193d487bfd54ccf15d1b895b279286ac70bd453ce
                                                                                                                                                                              • Opcode Fuzzy Hash: 15d88fbeef248fd9478c2b0753edb0c23552cf306dc0d8b3923b8fbe7a0cc771
                                                                                                                                                                              • Instruction Fuzzy Hash: 6501F972804258BEDF18C6A8CC5AEBEBBF89B02301F00429AF653D2581E579E6148B60
                                                                                                                                                                              Function 007998B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 0079B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0079B7BD
                                                                                                                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00799923
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClassMessageNameSend_memmove
                                                                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                                                                              • API String ID: 372448540-1403004172
                                                                                                                                                                              • Opcode ID: cb2124e775e110ff543aef7d5ccc7f233719af6fef308ad4874d2c8d4b82b7ea
                                                                                                                                                                              • Instruction ID: be5ac923e922540e8c218ae6237f33af7c2ec585244aa65cb3db939fd06f6aea
                                                                                                                                                                              • Opcode Fuzzy Hash: cb2124e775e110ff543aef7d5ccc7f233719af6fef308ad4874d2c8d4b82b7ea
                                                                                                                                                                              • Instruction Fuzzy Hash: C401DFB6A42108ABDF14EBA4D956EFE73A89F51341F50011EB942A3281DA585E0CD6B1
                                                                                                                                                                              Function 0079993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 00751A36: _memmove.LIBCMT ref: 00751A77
                                                                                                                                                                                • Part of subcall function 0079B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0079B7BD
                                                                                                                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 007999A6
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClassMessageNameSend_memmove
                                                                                                                                                                              • String ID: ComboBox$ListBox
                                                                                                                                                                              • API String ID: 372448540-1403004172
                                                                                                                                                                              • Opcode ID: b0facca8c229e46ed49d822d2d705599037baa7f57679b7e4948f450d1d5804d
                                                                                                                                                                              • Instruction ID: 39598cf056add746e969261e07325e896f6cd8e67ef2c3d04c09dff7e722b060
                                                                                                                                                                              • Opcode Fuzzy Hash: b0facca8c229e46ed49d822d2d705599037baa7f57679b7e4948f450d1d5804d
                                                                                                                                                                              • Instruction Fuzzy Hash: 4401F2B2A4210CAADF10EBB4DA06FFE73AC9F51351F50011ABD45A3281DA6D9E0CD6B1
                                                                                                                                                                              Function 007A54E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ClassName_wcscmp
                                                                                                                                                                              • String ID: #32770
                                                                                                                                                                              • API String ID: 2292705959-463685578
                                                                                                                                                                              • Opcode ID: 9017fe780d33ed2a3517e4c3f8622bb6048f6784d04448a488ebaefe86bbe040
                                                                                                                                                                              • Instruction ID: 407579911bb125bc45b31b5350d0c91447194203d9209765267058b05ee01b9c
                                                                                                                                                                              • Opcode Fuzzy Hash: 9017fe780d33ed2a3517e4c3f8622bb6048f6784d04448a488ebaefe86bbe040
                                                                                                                                                                              • Instruction Fuzzy Hash: E1E06872A0022C6BD720AB99EC49FABFBBCEB55731F000017FD04D7051EA64EA4087E0
                                                                                                                                                                              Function 00798892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007988A0
                                                                                                                                                                                • Part of subcall function 00763588: _doexit.LIBCMT ref: 00763592
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Message_doexit
                                                                                                                                                                              • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                              • API String ID: 1993061046-4017498283
                                                                                                                                                                              • Opcode ID: 6f0e8c9b5c0448aa780dc145d54ab30ee3f6dfda3e40faee07c66a66d1452d5a
                                                                                                                                                                              • Instruction ID: e69cbf7ac17b22cbd9ff311e01699894678bb87d30790074f6ca043da2a96837
                                                                                                                                                                              • Opcode Fuzzy Hash: 6f0e8c9b5c0448aa780dc145d54ab30ee3f6dfda3e40faee07c66a66d1452d5a
                                                                                                                                                                              • Instruction Fuzzy Hash: 3CD0C2B138135872C21032A86C0EFEA2A488B05B51F004026BF08651C349DD899181E6
                                                                                                                                                                              Function 00780251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00780091
                                                                                                                                                                                • Part of subcall function 007BC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0078027A,?), ref: 007BC6E7
                                                                                                                                                                                • Part of subcall function 007BC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007BC6F9
                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00780289
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 0000000A.00000002.2894756195.0000000000741000.00000020.00000001.01000000.00000006.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                              • Associated: 0000000A.00000002.2894716076.0000000000740000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894810207.00000000007F6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894865972.0000000000800000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              • Associated: 0000000A.00000002.2894887053.0000000000809000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_10_2_740000_Launches.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                                                                                              • String ID: WIN_XPe
                                                                                                                                                                              • API String ID: 582185067-3257408948
                                                                                                                                                                              • Opcode ID: 4b78adc430529c20b2234514a6db3ac1a6928e286018b119c9d4512a72129573
                                                                                                                                                                              • Instruction ID: 50b8b0d78890e36d793d88834e6e41787892e0c896889f8a11ac56fc8a7f44e2
                                                                                                                                                                              • Opcode Fuzzy Hash: 4b78adc430529c20b2234514a6db3ac1a6928e286018b119c9d4512a72129573
                                                                                                                                                                              • Instruction Fuzzy Hash: 2EF03971845109DFCB95EBA1C988BECBBB8AB08300F245085E146A2190CB794F88CF60